Measure IT Project Value

  • Buy Link or Shortcode: {j2store}431|cart{/j2store}
  • member rating overall impact (scale of 10): 9.5/10 Overall Impact
  • member rating average dollars saved: $5,549 Average $ Saved
  • member rating average days saved: 6 Average Days Saved
  • Parent Category Name: Portfolio Management
  • Parent Category Link: /portfolio-management
  • People treat benefits as a box to tick on the business case, deflating or inflating them to facilitate project approval.
  • Even if benefits are properly defined, they are usually forgotten once the project is underway.
  • Subsequent changes to project scope may impact the viability of the project’s business benefits, resulting in solutions that do not deliver expected value.

Our Advice

Critical Insight

  • It is rare for project teams or sponsors to be held accountable for managing and/or measuring benefits. The assumption is often that no one will ask if benefits have been realized after the project is closed.
  • The focus is largely on the project’s schedule, budget, and scope, with little attention paid to the value that the project is meant to deliver to the organization.
  • Without an objective stakeholder to hold people accountable for defining benefits and demonstrating their delivery, benefits will continue to be treated as red tape.
  • Sponsors will not take the time to define benefits properly, if at all. The project team will not take the time to ensure they are still achievable as the project progresses. When the project is complete, no one will investigate actual project success.

Impact and Result

  • The project sponsor and business unit leaders must own project benefits; IT is only accountable for delivering the solution.
  • IT can play a key role in this process by establishing and supporting a benefits realization process. They can help business unit leaders and sponsors define benefits properly, identify meaningful metrics, and report on benefits realization effectively.
  • The project management office is ideally suited to facilitate this process by providing tools and templates, and a consistent and comparable view across projects.
  • Project managers are accountable for delivering the project, not for delivering the benefits of the project itself. However, they must ensure that changes to project scope are assessed for impact on benefits viability.

Measure IT Project Value Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should establish a benefits legitimacy practice, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Establish benefits legitimacy during portfolio Intake

This phase will help you define a benefits management process to help support effective benefits definition during portfolio intake.

  • Deliver Project Value With a Benefits Legitimacy Initiative – Phase 1: Establish Benefits Legitimacy During Portfolio Intake
  • Project Sponsor Role Description Template
  • Benefits Commitment Form Template
  • Right-Sized Business Case Template

2. Maintain benefits legitimacy throughout project planning and execution

This phase will help you define a process for effective benefits management during project planning and the execution intake phase.

  • Deliver Project Value With a Benefits Legitimacy Initiative – Phase 2: Maintain Benefits Legitimacy Throughout Project Planning and Execution
  • Project Benefits Documentation Workbook
  • Benefits Legitimacy Workflow Template (PDF)
  • Benefits Legitimacy Workflow Template (Visio)

3. Close the deal on project benefits

This phase will help you define a process for effectively tracking and reporting on benefits realization post-project.

  • Deliver Project Value With a Benefits Legitimacy Initiative – Phase 3: Close the Deal on Project Benefits
  • Portfolio Benefits Tracking Tool
  • Benefits Lag Report Template
  • Benefits Legitimacy Handbook Template
[infographic]

Workshop: Measure IT Project Value

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Analyze the Current State of Benefits Management

The Purpose

Assess the current state of benefits management at your organization and establish a realistic target state.

Establish project and portfolio baselines for benefits management.

Key Benefits Achieved

Set achievable workshop goals and align stakeholder expectations.

Establish a solid foundation for benefits management success.

Activities

1.1 Introductions and overview.

1.2 Discuss attendee expectations and goals.

1.3 Complete Info-Tech’s PPM Current State Scorecard.

1.4 Perform right-wrong-confusing-missing analysis.

1.5 Define target state for benefits management.

1.6 Refine project levels.

Outputs

Info-Tech’s PPM Current State Scorecard report

Right-wrong-confusing-missing analysis

Stakeholder alignment around workshop goals and target state

Info-Tech’s Project Intake Classification Matrix

2 Establish Benefits Legitimacy During Portfolio Intake

The Purpose

Establish organizationally specific benefit metrics and KPIs.

Develop clear roles and accountabilities for benefits management.

Key Benefits Achieved

An articulation of project benefits and measurements.

Clear checkpoints for benefits communication during the project are defined.

Activities

2.1 Map the current portfolio intake process.

2.2 Establish project sponsor responsibilities and accountabilities for benefits management.

2.3 Develop organizationally specific benefit metrics and KPIs.

2.4 Integrate intake legitimacy into portfolio intake processes.

Outputs

Info-Tech’s Project Sponsor Role Description Template

Info-Tech’s Benefits Commitment Form Template

Intake legitimacy process flow and RASCI chart

Intake legitimacy SOP

3 Maintain Benefits Legitimacy Throughout Project Planning and Execution

The Purpose

Develop a customized SOP for benefits management during project planning and execution.

Key Benefits Achieved

Ensure that all changes to the project have been recorded and benefits have been updated in preparation for deployment.

Updated benefits expectations are included in the final sign-off package.

Activities

3.1 Map current project management process and audit project management documentation.

3.2 Identify appropriate benefits control points.

3.3 Customize project management documentation to integrate benefits.

3.4 Develop a deployment legitimacy process flow.

Outputs

Customized project management toolkit

Info-Tech’s Project Benefits Documentation Workbook

Deployment of legitimacy process flow and RASCI chart

Deployment of legitimacy SOP

4 Close the Deal on Project Benefits

The Purpose

Develop a post-project benefits realization process.

Key Benefits Achieved

Clear project sponsorship accountabilities for post-project benefits tracking and reporting.

A portfolio level benefits tracking tool for reporting on benefits attainment.

Activities

4.1 Identify appropriate benefits control points in the post-project process.

4.2 Configure Info-Tech’s Portfolio Benefits Tracking Tool.

4.3 Define a post-project benefits reporting process.

4.4 Formalize protocol for reporting on, and course correcting, benefit lags.

4.5 Develop a post-project legitimacy process flow.

Outputs

Info-Tech’s Portfolio Benefits Tracking Tool

Post-Project legitimacy process flow and RASCI chart

Post-Project Legitimacy SOP

Info-Tech’s Benefits Legitimacy Handbook

Info-Tech’s Benefits Legitimacy Workflow Template

Improve IT Team Effectiveness

  • Buy Link or Shortcode: {j2store}521|cart{/j2store}
  • member rating overall impact (scale of 10): 9.3/10 Overall Impact
  • member rating average dollars saved: $16,549 Average $ Saved
  • member rating average days saved: 5 Average Days Saved
  • Parent Category Name: Lead
  • Parent Category Link: /lead
  • Organizations rely on team-based work arrangements to provide organizational benefits and to help them better navigate the volatile, uncertain, complex, and ambiguous (VUCA) operating environment.
  • This is becoming more challenging in a hybrid model as interactions now rely less on casual encounters and now must become more intentional.
  • A high-performing team is more than productive. They are more resilient and able to recognize opportunities. They are proactive instead of reactive due to trust and a high level of communication and collaboration.
  • IT teams are more unique, which also provides unique challenges other teams don’t experience.

Our Advice

Critical Insight

IT teams have:

  • Multiple disciplines that tend to operate in parallel versus within a sequence of events.
  • Multiple incumbent roles where people operate in parallel versus needing to share information to produce an outcome.
  • Multiple stakeholders who create a tension with competing priorities.

Impact and Result

Use Info-Tech’s phased approach to diagnose your team and use the IDEA model to drive team effectiveness.

The IDEA model includes four factors to identify team challenges and focus on areas for improvement: identity, decision making, exchanges within the team, and atmosphere of team psychological safety.

Improve IT Team Effectiveness Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Team Effectiveness Storyboard – A step-by-step document that walks you through how to properly assess your team’s effectiveness and activities that will identify solutions to overcome.

The storyboard will walk you through three critical steps to assess, analyze, and build solutions to improve your team’s effectiveness.

  • Having your team members complete an assessment.
  • Reviewing and sharing the results.
  • Building a list of activities to select from based on the assessment results to ensure you target the problem you are facing.
    • Improve IT Team Effectiveness Storyboard – Phases 1-3

    2. The Team Effectiveness Survey – A tool that will determine what areas you are doing well in and where you can improve team relations and increase productivity.

    Each stage has a deliverable that will support your journey on increasing effectiveness starting with how to communicate to the assessment which will accumulate into a team charter and action plan.

    • IT Team Effectiveness Survey
    • IT Team Effectiveness Survey Tool

    3. Facilitation Guide – A collection of activities to select from and use with your team.

    The Facilitation Guide contains instructions to facilitating several activities aligned to each area of the IDEA Model to target your approach directly to your team’s results.

  • Determining roles and responsibilities on the team.
  • Creating a decision-making model that outlines levels of authority and who makes the decisions.
  • Assessing the team communications flow, which highlights the communication flow on the team and any bottlenecks.
  • Building a communication poster that articulates methods used to share different information within the team.
    • Improve IT Team Effectiveness Facilitation Guide
    • Identity – Responsibilities and Dependencies
    • Decision Making Accountability Workbook
    • Exchanges – Team Communications Flow
    • Exchanges – Communications Guide Poster Template
    • Atmosphere – SCARF Worksheet

    4. Action Plan – A template to help build your team action plan.

    The Action Plan Template captures next steps for the team on what they are committing to in order to build a more effective team.

    • Action Plan Template

    5. Team Charter – A template to create a charter for a work group or project team.

    A Team Charter captures the agreements your team makes with each other in terms of accepted behaviors and how they will communicate, make decisions, and create an environment that everyone feels safe contributing in.

    • IT Team Charter Template

    Infographic

    Workshop: Improve IT Team Effectiveness

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess the Team

    The Purpose

    Determine if proceeding is valuable.

    Key Benefits Achieved

    Set context for team members.

    Activities

    1.1 Review the business context.

    1.2 Identify IT team members to be included.

    1.3 Determine goals and objectives.

    1.4 Build execution plan and determine messaging.

    1.5 Complete IDEA Model assessment.

    Outputs

    Execution and communication plan

    IDEA Model assessment distributed

    2 Review Results and Action Plan

    The Purpose

    Review results to identify areas of strength and opportunity.

    Key Benefits Achieved

    As a team, discuss results and determine actions.

    Activities

    2.1 Debrief results with leadership team.

    2.2 Share results with team.

    2.3 Identify areas of focus.

    2.4 Identify IDEA Model activities to support objectives and explore areas of focus.

    Outputs

    IDEA assessment results

    Selection of specific activities to be facilitated

    3 Document and Measure

    The Purpose

    Review results to identify areas of strength and opportunity.

    Key Benefits Achieved

    build an action plan of solutions to incorporate into team norms.

    Activities

    3.1 Create team charter.

    3.2 Determine action plan for improvement.

    3.3 Determine metrics.

    3.4 Determine frequency of check-ins.

    Outputs

    Team Charter

    Action Plan

    Further reading

    Improve IT Team Effectiveness

    Implement the four critical factors required for all high-performing teams.

    Analyst Perspective

    All teams need to operate effectively; however, IT teams experience unique challenges.

    IT often struggles to move from an effective to a high-performing team due to the very nature of their work. They work across multiple disciplines and with multiple stakeholders.

    When operating across many disciplines it can become more difficult to identify the connections or points of interactions that define effective teams and separate them from being a working group or focus on their individual performance.

    IT employees also work in close partnership with multiple teams outside their IT domain, which can create confusion as to what team are they a primary member of. The tendency is to advocate for or on behalf of the team they primarily work with instead of bringing the IT mindset and alignment to IT roadmap and goals to serve their stakeholders.

    A Picture of Amanda Mathieson

    Amanda Mathieson
    Research Director, People & Leadership Practice
    Info-Tech Research Group

    Executive Summary

    The Challenge

    Organizations rely on team-based work arrangements to provide organizational benefits and better navigate the volatile, uncertain, complex, and ambiguous (VUCA) operating environment.

    This is becoming more challenging in a hybrid environment as interactions now rely less on casual encounters and must become more intentional.

    A high-performing team is more than productive. They are more resilient and able to recognize opportunities. They are proactive instead of reactive due to the trust and high level of communication and collaboration.

    Common Obstacles

    IT teams are more unique, which also provides unique challenges other teams don't experience:

    • Multiple disciplines that tend to operate in parallel versus within a sequence of events
    • Multiple incumbent roles where people operate in parallel versus needing to share information to produce an outcome
    • Multiple stakeholders that create a tension with competing priorities

    Info-Tech's Approach

    Use Info-Tech's phased approach to diagnose your team and use the IDEA model to drive team effectiveness.

    The IDEA model includes four factors to identify team challenges and focus on areas for improvement: identity, decision making, exchanges within the team, and atmosphere of team psychological safety.

    Info-Tech Insight

    IT teams often fail to reach their full potential because teamwork presents unique challenges and complexities due to the work they do across the organization and within their own group. Silos, not working together, and not sharing knowledge are all statements that indicate a problem. As a leader it's difficult to determine what to do first to navigate the different desires and personalities on a team.

    How this blueprint will help

    Assess, diagnose, and address issues to realize your team's full potential.

    This research helps IT support:

    • Work Teams: Operate under one organizational unit or function. Their membership is generally stable with well-defined roles.
    • Project Teams: Typically, are time-limited teams formed to produce a particular output or project. Their membership and expertise tend to vary over time.
    • Management or Leadership Teams: Provide direction and guidance to the organization and are accountable for overall performance. Membership is structured by the hierarchy of the organization and includes a diverse set of skills, experience, and expertise.

    Traditionally, organizations have tried to fix ineffective teams by focusing on these four issues: composition, leadership competencies, individual-level performance, and organizational barriers. While these factors are important, our research has shown it is beneficial to focus on the four factors of effective teams addressed in this blueprint first. Then, if additional improvement is needed, shift your focus to the traditional issue areas.

    Common obstacles

    These barriers make it difficult to address effectiveness for many IT teams:

    • Teams do not use one standard set of processes because they may have a wide variety of assignments requiring different sets of processes.
      Source: Freshworks
    • There are multiple disciplines within IT that require vastly different skill sets. Finding the connection points can be difficult when on the surface it seems like success doesn't require interconnectivity.
    • IT has many people in the same roles that act independently based on the stakeholder or internal customer they are serving. This can lead to duplication of effort if information and solutions aren't shared.
    • IT serves many parts of the organization that can bring competing priorities both across the groups they support and with the IT strategy and roadmap itself. Many IT leaders work directly in or for the business, which can see them associate with the internal client team more than their IT team – another layer of conflicting priorities.

    IT also experience challenges with maturity and data silos

    48%

    of IT respondents rate their team as low maturity.

    Maturity is defined by the value they provide the business, ranging from firefighting to innovative partner.

    Source: Info-Tech Research Group, Tech Trends, 2022

    20 Hours

    Data Silos: Teams waste more than 20 hours per month due to poor collaboration and communication.

    Source: Bloomfire, 2022

    Current realities require teams to operate effectively

    How High-Performing Teams Respond:

    Volatile: High degree of change happening at a rapid pace, making it difficult for organizations to respond effectively.

    Teams are more adaptable to change because they know how to take advantage of each others' diverse skills and experience.

    Uncertain: All possible outcomes are not known, and we cannot accurately assess the probability of outcomes that are known.

    Teams are better able to navigate uncertainty because they know how to work through complex challenges and feel trusted and empowered to change approach when needed.

    Complex: There are numerous risk factors, making it difficult to get a clear sense of what to do in any given situation.

    Teams can reduce complexity by working together to identify and plan to appropriately mitigate risk factors.

    Ambiguous: There is a lack of clarity with respect to the causes and consequences of events.

    Teams can reduce ambiguity through diverse situational knowledge, improving their ability to identify cause and effect.

    Teams struggle to realize their full potential

    Poor Communication

    To excel, teams must recognize and adapt to the unique communication styles and preferences of their members.

    To find the "just right" amount of communication for your team, communication and collaboration expectations should be set upfront.

    85% of tech workers don't feel comfortable speaking in meetings.
    Source: Hypercontext, 2022

    Decision Making

    Decision making is a key component of team effectiveness. Teams are often responsible for decisions without having proper authority.

    Establishing a team decision-making process becomes more complicated when appropriate decision-making processes vary according to the level of interdependency between team members and organizational culture.

    20% of respondents say their organization excels at decision making.
    Source: McKinsey, 2019

    Resolving Conflicts

    It is common for teams to avoid/ignore conflict – often out of fear. People fail to see how conflict can be healthy for teams if managed properly.

    Leaders assume mature adults will resolve conflicts on their own. This is not always the case as people involved in conflicts can lack an objective perspective due to charged emotions.

    56% of respondents prioritize restoring harmony in conflict and will push own needs aside.
    Source: Niagara Institute, 2022

    Teams with a shared purpose are more engaged and have higher performance

    Increased Engagement

    3.5x

    Having a shared team goal drives higher engagement. When individuals feel like part of a team working toward a shared goal, they are 3.5x more likely to be engaged.

    Source: McLean & Company, Employee Engagement Survey, IT respondents, 2023; N=5,427

    90%

    Engaged employees are stronger performers with 90% reporting they regularly accomplish more than what is expected.

    Source: McLean & Company, Employee Engagement Survey, IT respondents, 2023; N=4,363

    Effective and high-performing teams exchange information freely. They are clear on the purpose and goals of the organization, which enable empowerment.

    Info-Tech Insight

    Clear decision-making processes allow employees to focus on getting the work done versus navigating the system.

    Case Study

    Project Aristotle at Google – What makes a team effective at Google?

    INDUSTRY: Technology
    SOURCE: reWork

    Challenge

    Google wanted to clearly define what makes a team effective to drive a consistent meaning among its employees. The challenge was to determine more than quantitative measures, because more is not always better as it can just mean more mistakes to fix, and include the qualitative factors that bring some groups of people together better than others.

    Solution

    There was no pattern in the data it studied so Google stepped back and defined what a team is before embarking on defining effectiveness. There is a clear difference between a work group (a collection of people with little interdependence) and a team that is highly interdependent and relies on each other to share problems and learn from one another. Defining the different meanings took time and Google found that different levels of the organization were defining effectiveness differently.

    Results

    Google ended up with clear definitions that were co-created by all employees, which helped drive the meaning behind the behaviors. More importantly it was also able to define factors that had no bearing on effectiveness; one of which is very relevant in today's hybrid world – colocation.

    It was discovered that teams need to trust, have clarity around goals, have structure, and know the impact their work has.

    Overcoming barriers

    Teams often lack the skills or knowledge to increase effectiveness and performance.

    • Leaders struggle with team strife and ineffectiveness.
    • A leader's ability to connect with and engage team members is vital for driving desired outcomes. However, many team leads struggle to deal with low-performing or conflict-ridden teams.
    • Without adequate training on providing feedback, coaching, and managing difficult conversations, team leads often do not have the skills to positively affect team performance – and they do not appreciate the impact their actions have on desired outcomes.
    • Team leads often find it difficult to invest time and resources in addressing challenges when the team is working toward deadlines.
    • Team leads who are new to a management role within the organization often struggle to transition from independent contributor to leader – especially when they are tasked with managing team members who are former peers.
    • Some team leads believe that soliciting help will be viewed as a personal failure, so they are reluctant to seek support for team performance management from more-senior leaders.

    It's unrealistic to expect struggling teams to improve without outside help; if they were able to, they would have already done so.
    To improve, teams require:

    • A clearly defined team identity
    • A clearly defined decision-making paradigm
    • Consistently productive exchanges within the team
    • An atmosphere of psychological safety

    BUT these are the very things they are lacking when they're struggling.

    An image of Info-Tech's Insights for Improving IT Team Effectiveness.

    Improving team effectiveness

    Use the Info-Tech IDEA Model to assess and improve your team's effectiveness.

    Begin by assessing, recognizing, and addressing challenges in:

    • Identity – team goals, roles, responsibilities, and accountabilities
    • Decision-making paradigms and processes within the team.
    • Exchanges of information, motivation, and emotions between team members
    • Atmosphere of team psychological safety

    IDEA Model of Team Effectiveness

    Effective Team

    • Identity
    • Decisions
    • Exchanges
    • Atmosphere

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1: Assess the team Phase 2: Review results and action plan Phase 3: Document and measure

    Call #1: Scope requirements, objectives, and your specific challenges.
    Call #2: Prepare to assess your team(s) using the assessment tool.

    Call #3: Review the assessment results and plan next steps.
    Call #4: Review results with team and determine focus using IDEA model to identify activity based on results.
    Call #5: Complete activity to determine solutions to build your action plan.

    Call #6: Build out your team agreement.
    Call #7: Identify measures and frequency of check-ins to monitor progress.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1
    (Half Day)

    Day 2

    Day 3

    Day 4

    Determine objectives and assess

    Review survey results

    Determine and conduct activities to increase effectiveness

    Bridge the gap and
    create the strategy

    Activities

    With Leader – 1 hour
    1.1 Review the business context.
    1.2 Identify IT team members to be included.
    1.3 Determine goals and objectives.
    1.4 Build execution plan and determine messaging.
    With Team – 90 minutes
    1.5 Share messaging, set context.
    1.6 Complete Team Effectiveness Survey.

    2.1 Debrief results with leadership team.
    2.2 Share results with team.
    2.3 Identify areas of focus.
    2.4 Identify IDEA Model activities to support objectives and explore areas of focus.

    3.1 Conduct IDEA Model Activities:

    • Identify – Clarify goals, roles, and responsibilities.
    • Decisions – Determine levels of authority; decision-making process.
    • Exchanges – Review information shared with communication methods and preferred styles of each team member.
    • Atmosphere – Create a psychologically safe environment.

    3.2 Record outcomes and actions.

    4.1 Create team charter or agreement.
    4.2 Identify metrics to measure progress.
    4.3 Identify risks.
    4.4 Determine frequency of check-ins to review progress.
    4.5 Check-in with sponsor.

    Deliverables

    1. Execution and communication plan
    2. Team Effectiveness Survey
    1. Assessment results
    2. IDEA Model team-building activities
    1. List of solutions to incorporate into team norms
    2. Action Plan
    1. Team Charter

    Phase 1

    Assess the team

    Phase 1

    Phase 2

    Phase 3

    1.1 Identify team members
    and behaviors to improve using IDEA Model
    1.2 Determine messaging including follow-up plan
    1.3 Send survey

    1.1 Review results with team
    1.2 Determine IDEA focus area(s)
    1.3 Conduct activity to determine solutions

    1.1 Document outcomes and actions
    1.2 Create team charter
    1.3 Identify metrics to show success
    1.4 Schedule check-in

    Improving team effectiveness

    Use the Info-Tech IDEA Model to assess and improve your team's effectiveness

    Begin by assessing, recognizing, and addressing challenges in:

    • Identity – team goals, roles, responsibilities, and accountabilities.
    • Decision-making paradigms and processes within the team.
    • Exchanges of information, motivation, and emotions between team members.
    • Atmosphere of team psychological safety.

    Effective Team

    • Identity
    • Decisions
    • Exchanges
    • Atmosphere

    Assess the shared understanding of team identity

    In addition to having a clear understanding of the team's goals and objectives, team members must also:

    • Understand their own and each other's roles, responsibilities, and accountabilities.
    • Recognize and appreciate the value of each team member.
    • Realize how their actions impact each others' work and the overall goals and objectives.
    • Understand that working in silos is considered a work group whereas a team coordinates activities, shares information, and supports each other to achieve their goals.

    Clear goals enable employees to link their contributions to overall success of the team. Those who feel their contributions are important to the success of the department are two times more likely to feel they are part of a team working toward a shared goal compared to those who don't (McLean & Company, Employee Engagement Survey, IT respondents, 2023; N=4,551).

    Goals matter in teamwork

    The goals and objectives of the team are the underlying reason for forming the team in the first place. Without a clear and agreed-upon goal, it is difficult for teams to understand the purpose of their work.

    Clear goals support creating clear roles and the contributions required for team success.

    Team Identity = Team goals and Objectives + Individual roles, responsibilities, and accountabilities

    Assess the shared understanding of decision making

    Decision making adds to the complexity of teamwork.
    Individual team members hold different information and opinions that need to be shared to make good decisions.
    Ambiguous decision-making processes can result in team members being unable to continue their work until they get clear direction.
    The most appropriate decision-making process depends on the type of team:

    • The higher the degree of interconnectivity in team members' work, the greater the need for a general consensus approach to decision making. However, if you opt for a general consensus approach, a backup decision-making method must be identified in the event consensus cannot be reached.
    • High-pressure and high-stakes environments tend to centralize decision making to make important decisions quickly.
    • Low-pressure and low-stakes environments are more likely to adopt consensus models.

    Spectrum of Decision Making

    General consensus between all team members.

    A single, final decision maker within the team.

    Ensure team members understand how decisions are made within the team. Ask:

    • Do team members recognize the importance of sharing information, opinions, and suggestions?
    • Do team members feel their voices are heard?
    • Must there be consensus between all team members?
    • Is there a single decision maker?

    Assess team exchanges by focusing on communication

    Evaluate exchanges within your team using two categories:

    These categories are related, but there is not always overlap. While some conflicts involve failures to successfully exchange information, conflict can also occur even when everyone is communicating successfully.

    Communication

    Managing Conflict

    Information, motivations, emotions

    Accepting and expressing diverse perspectives

    Resolving conflict (unified action through diverse perspectives)

    Transmission

    Reception
    (listening)

    Success is defined in terms of how well information, motivations, and emotions are transmitted and received as intended.

    Success is defined in terms of how well the team can move to united action through differences of opinion. Effective teams recognize that conflict can be healthy if managed effectively.

    Successful exchange behaviors

    • Shared understanding of how to motivate one another and how team members respond emotionally.
    • Team moving beyond conflict to united action.
    • Formalized processes used for resolving conflicts.
    • Platforms provided for expressing diverse or conflicting perspectives and opinions – and used in a constructive manner.
    • Use of agendas at meetings as well as clearly defined action items that reflect meeting outcomes.
    • Avoidance of language that is exclusive, such as jargon and inside jokes.

    Exchanges of information, emotion, and motivation

    When selecting a method of communication (for example, in-person versus email), consider how that method will impact the exchange of all three aspects – not just information.

    Downplaying the importance of emotional and motivational exchanges and focusing solely on information is very risky since emotional and motivational exchanges can impact human relationships and team psychological safety.

    • Information: data or opinions.
    • Emotions: feelings and evaluations about the data or opinions.
    • Motivations: what we feel like doing in response to the data or opinions.

    Communication affects the whole team

    Effects are not limited to the team members communicating directly:

    • How team members interact one on one transmits information and causes emotional and motivational responses in other group members not directly involved.
    • How the larger group receives information, emotions, and motivations will also impact how individuals relate to each other in group settings.

    Remember to watch the reactions and behavior of participants and observers when assessing how the team behaves.

    Managing conflict

    Identify how conflict management is embedded into team practices.

    • Resolving conflicts is difficult and uses up a lot of time and energy. This is especially true if the team needs to figure out what to do each and every time people disagree.
    • Teams that take the time to define conflict resolution processes upfront:
      • Demonstrate their commitment to resolving conflict in a healthy way.
      • Signal that diverse perspectives and opinions are valued, even if they spur disagreement sometimes.
      • Are ready for conflict when it arises – prepared to face it and thrive.

    Successfully communicating information, emotions, and motivations is not the same as managing conflict.

    Teams that are communicating well are more likely to uncover conflicting perspectives and opinions than teams that are not.

    Conflict is healthy and can be an important element of team success if it is managed.

    The team should have processes in place to resolve conflicts and move to united action.

    Assess the atmosphere

    Team psychological safety

    A team atmosphere that exists when all members feel confident that team members can do the following without suffering negative interpersonal consequences such as blame, shame, or exclusion:

    • Admit mistakes
    • Raise questions or concerns
    • Express dissenting views

    (Administrative Science Quarterly, 1999;
    The New York Times, 2016)

    What psychologically safe teams look like:

    • Open and learning-focused approach to error.
    • Effective conflict management within the team.
    • Emotional and relational awareness between team members.
    • Existence of work-appropriate interpersonal relationships between team members (i.e. beyond mere working relationships).

    (Administrative Science Quarterly, 1999;
    The New York Times, 2016)

    What "team psychological safety" is not:

    • A situation where all team members are friends.
      In some cases psychologically safe team atmospheres might be harder to create when team members are friends since they might be more reluctant to challenge or disagree with friends.
    • Merely trust. Being able to rely on people to honor their commitments is not the same as feeling comfortable admitting mistakes in front of them or disagreeing with them.

    "Psychological safety refers to an individual's perception of the consequences of taking an interpersonal risk or a belief that a team is safe for risk taking in the face of being seen as ignorant, incompetent, negative, or disruptive… They feel confident that no one on the team will embarrass or punish anyone else for admitting a mistake, asking a question, or offering a new idea."

    – re:Work

    Psychological safety

    The impact of psychological safety on team effectiveness

    Why does an atmosphere of team psychological safety matter?

    • Prevents groupthink.
      • People who do not feel safe to hold or express dissenting views gravitate to teams that think like they do, resulting in the well-known dangers of groupthink.
    • Encourages contribution and co-operation.
      • One study found that if team psychological safety is present, even people who tend to avoid teamwork will be more likely to contribute in team settings, thereby increasing the diversity of perspectives that can be drawn on (Journal of Organizational Culture, 2016).

    Creating psychological safety in a hybrid environment requires a deliberate approach to creating team connectedness.

    In the Info-Tech State of Hybrid Work in IT report autonomy and team connectedness present an interesting challenge in that higher levels of autonomy drove higher perceptions of lack of connectedness to the respondent's team. In a hybrid world, this means leaders need to be intentional in creating a safe team dynamic.

    47% of employees who experienced more control over their decisions related to where, when, and how they work than before the pandemic are feeling less connected to their teams.
    Source: Info-Tech, State of Hybrid Work in IT, 2022

    1.1 Prepare to launch the survey

    1-2 hours

    1. Review and record the objectives and outcomes that support your vision of a high-performing team:
      1. Why is this important to you?
      2. What reactions do you anticipate from the team?
    2. In your team meeting, share your vision of what a high-performing team looks like. Engage the team in a discussion:
      1. Ask how they work. Ask them to describe their best working team environment from a previous experience or an aspirational one.
      2. Option: Instruct them to write on sticky notes, one idea per note, and share. This approach will allow for theming of ideas.
    3. Introduce the survey as a way, together as a team, the current state can be assessed against the desired state discussed.
      1. Be clear that as the leader, you won't be completing the survey as you don't want to influence their perceptions of the team. As the leader, you hold authority, and therefore, experience the team differently. This is about them and their feedback.

    Input

    • Observations of team behavior
    • Clearly articulated goals for team cohesion

    Output

    • Speaking notes for introducing survey
    • Survey launch

    Materials

    • Whiteboard/flip charts
    • Sticky notes
    • IDEA Assessment

    Participants

    • Leader
    • Team Members

    Download the IT Team Effectiveness Survey

    1.2 Launch the survey

    1-2 hours

    1. Determine how the survey will be completed.
      1. Paper-based
        1. Email a copy of the Word document IT Team Effectiveness Survey for each person to complete individually.
        2. Identify one person to collect each survey and enter the results into the team effectiveness survey tool (tab 2. Data – Effectiveness Answers and tab 3. Data – Team Type Answers). This must be someone outside the team.
      2. Online direct input into Team Effectiveness Survey Tool
        1. Post the document in a shared folder.
        2. Instruct individuals to select one of the numbered columns and enter their information into tab 2. Data – Effectiveness Answers and tab 3. Data – Team Type Answers.
        3. To protect anonymity and keep results confidential, suggest each person opens document in "Cognito mode."
        4. Hide the Summary and Results tabs to avoid team members previewing them.

    Download the IT Team Effectiveness Survey Results Tool

    Paper-Based Cautions & Considerations

    • Heavily dependent on a trusted third party for genuine results
    • Can be time consuming to enter the results

    Online Direct Cautions & Considerations

    • Ensure that users keep to the same numbered column across both entry tabs
    • Seeing other team members' responses may influence others
    • Least amount of administration

    Phase 2

    Review Results and Action Plan

    Phase 1

    Phase 2

    Phase 3

    1.1 Identify team members
    and behaviors to improve using IDEA Model
    1.2 Determine messaging including follow-up plan
    1.3 Send survey

    1.1 Review results with team
    1.2 Determine IDEA focus area(s)
    1.3 Conduct activity to determine solutions

    1.1 Document outcomes and actions
    1.2 Create team charter
    1.3 Identify metrics to show success
    1.4 Schedule check-in

    This phase will walk you through the following activities:

    • Analyzing and debriefing the results to determine themes and patterns to come to a team consensus on what to focus on.
    • Facilitated activities to drive awareness, build co-created definitions of what an effective team looks like, and identify solutions the team can undertake to be more effective.

    This phase involves the following participants:

    • Leader of the team
    • All team members

    Deliverables:

    • A presentation that communicates the team assessment results
    • A plan for effectively delivering the assessment results

    Phase 2: Build a plan to review results and create an action plan

    Reviewing assessment results and creating an improvement action plan is best accomplished through a team meeting.

    Analyzing and preparing for the team meeting may be done by:

    • The person charged with team effectiveness (i.e. team coach).
    • For teams that are seriously struggling with team effectiveness, the coach should complete this step in its entirety.
    • The team coach and the team lead.
    • Truly effective teams are self-reliant. Begin upskilling team leads by involving team leads from the start.
    1. Analyze team assessment results
    2. Prepare to communicate results to the team
    3. Select team activities that will guide the identification of action items and next steps
    4. Facilitate the team meeting

    2.1 Analyze results

    Health Dials

    1. Once the results are final, review the Health Dials for each of the areas.
      1. For each area of the team's effectiveness
        • Red indicates a threat – this will derail the team and you will require an external person to help facilitate conversations.
          It would be recommended to contact us for additional guidance if this is one of your results.
        • Yellow is a growth opportunity.
        • Green is a strength and pay attention to where the dial is – deep into strength or just past the line?
      2. Think about these questions and record your initial reactions.
        1. What surprises you – either positively or negatively?
        2. What areas are as expected?
        3. What behaviors are demonstrated that support the results?

    Prioritize one to two factors for improvement by selecting those with:

    • The lowest overall score.
    • The highest variance in responses.
    • If psychological safety is low, be sure to prioritize this factor; it is the foundation of any effective team.

    An image of the Health dials for each area.

    2.2 Analyze results

    Alignment of Responses

    1. The alignment of responses area provides you with an overview of the range of responses from the team for each area.
      • The more variety in the bars indicates how differently each person is experiencing the team.
      • The more aligned the bars are the more shared the experiences.

    The flatter the bars are across the top, the more agreement there was. Factors that show significant differences in opinion should be discussed to diagnose what is causing the misalignment within your team.

    1. Recommendation is to look at high scores and the alignment and lower scores and the alignment to determine where you may want to focus.

    The alignment chart below shows varied responses; however, there are two distinct patterns. This will be an important area to review.
    Things to think about:

    • Are there new team members?
    • Has there been a leadership change?
    • Has there been a change that has impacted the team?
    An image showing the alignment of responses for Identity, Decisions; Exchange; and Atmosphere.

    2.3 Analyze results

    Team Characteristics and Stakes

    1. Team Characteristics. Use the Team Type Results tab in the IT Team Effectiveness Assessment Tool to identify how the team characterizes itself along the High-Low Scale. The closer the dark blue bar is to the right or left suggests to which degree the team views the characteristic.
      1. Interdependence highlights the team's view on how interconnected and dependent they are on each other to get work done. Think of examples where they should be sharing or collaborating, and they are not.
      2. Virtual describes the physicality of the team. This area has changed a lot since 2020; however, it's still important to note if the team shares the same understanding of work location. Are they thinking of team members in a different geography or referring to hybrid work?
      3. Decision making describes the scale of one decision maker or many. Where are most decisions made by on your team or who is making them?
      4. Stability refers to the degree to which the team stays the same – no membership change or turnover. It can be defined by length of time the group has been together. Looking at this will help understand alignment results. If alignment is varied, one might expect a less stable team.
    2. Stakes and Pressure
      1. Pressure refers to the conditions in which the team must work. How urgent are requests?
      2. Stakes refers to the degree of impact the work has. Will outputs impact safety, health, or a service?
      3. This category can be reviewed against decision making – high pressure, high stakes environments usually have a high concentration of authority. Low pressure, low stakes decisions can also be made either by one person as there is relatively no impact or with many as you have time to get many perspectives.
      4. This area informs what your decision-making protocols should look like.

    A bar graph for Team Characteristics, and a quadrant analysis for comparing Stakes and Pressure.

    2.4 Prepare for meeting

    1-2 hours

    1. Select a facilitator
      • The right person to facilitate the meeting and present the results is dependent upon the results themselves, the team lead's comfort level, and the root and degree of team dysfunction.
      • Typically, the team lead will facilitate and present the results. However, it will be more appropriate to have a member of the HR team or an external third party facilitate.
    2. Set the agenda (recommended sample to the right) that ensures:
      • Team members reflect on the results and discuss reaction to the results. (E.g. Are they surprised? Why/why not?)
      • Results are clearly understood and accepted by team members before moving on to activities.
      • The aim of the meeting is kept in mind. The purpose of the team meeting is to involve all team members in the creation of an effectiveness improvement plan.
    3. Customize the Facilitation Guide and activities in the Improve IT Team Effectiveness Facilitation Guide. (Activities are aligned with the four factors in the IDEA model.)
      • Identify a clear objective for each activity given the team assessment results. (E.g. What are the areas of improvement? What is the desired outcome of the activity?)
      • Review and select the activities that will best achieve the objectives.
      • Customize and prepare for chosen activities appropriately.
      • Obtain all necessary materials.
      • Practice by anticipating and preparing for questions, objectives, and what you will say and do.

    Facilitation Factors
    Select a third-party facilitator if:

    • The team lead is uncomfortable.
    • The leadership or organization is implicated in the team's dysfunction, a third party can be sought in place of HR.
    • Regardless of who facilitates, it is critical that the team lead understands the process and results and is comfortable answering any questions that arise.

    Agenda

    • Review the IDEA Model.
    • Discuss the assessment results.
    • Invite team members to reflect on the results and discuss reaction to the results.
    • Ensure results are clearly understood and accepted.
    • Examine team challenges and strengths through selected team activities.
    • Create a team charter and effectiveness improvement plan.

    Materials

    • IT Team Effectiveness Activities Facilitation Guide
    • IT Team Effectiveness Survey results

    Participants

    • Leader

    2.5 Run the meeting

    2-3 hours

    Facilitate the team meeting and agree on the team effectiveness improvement plan.

    Work with the team to brainstorm and agree on an action plan of continuous improvements.

    By creating an action plan together with the team, there is greater buy-in and commitment to the activities identified within the action plan.

    Don't forget to include timelines and task owners in the action plan – it isn't complete without them.

    Document final decisions in Info-Tech's Improve IT Team Effectiveness Action Plan Tool.

    Review activity Develop Team Charter in the Improve IT Team Effectiveness Facilitation Guide and conclude the team meeting by creating a team charter. With a team charter, teams can better understand:

    • Team objectives
    • Team membership and roles
    • Team ground rules

    Facilitation Factors

    Encourage and support participation from everyone.

    Be sure no one on the team dismisses anyone's thoughts or opinions – they present the opportunity for further discussion and deeper insight.

    Watch out for anything said or done during the activities that should be discussed in the activity debrief.

    Debrief after each activity, outlining any lessons learned, action items, and next steps.

    Agenda

    • Review the IDEA Model.
    • Discuss the assessment results.
    • Invite team members to reflect on the results and discuss reaction to the results.
    • Ensure results are clearly understood and accepted.
    • Examine team challenges and strengths through selected team activities.
    • Create a team charter and effectiveness improvement plan.

    Materials

    • IT Team Effectiveness Activities Facilitation Guide
    • Whiteboard/flip charts
    • Sticky notes
    • IT Team Effectiveness Survey results

    Participants

    • Leader
    • Team Members
    • Optional – External Facilitator

    Phase 3

    Document and measure

    Phase 1

    Phase 2

    Phase 3

    1.1 Identify team members
    and behaviors to improve using IDEA Model
    1.2 Determine messaging including follow-up plan
    1.3 Send survey

    1.1 Review results with team
    1.2 Determine IDEA focus area(s)
    1.3 Conduct activity to determine solutions

    1.1 Document outcomes and actions
    1.2 Create team charter
    1.3 Identify metrics to show success
    1.4 Schedule check-in

    This phase will walk you through the following activities:
    Building your team charter that will include:

    • Team vision, mission, and goals
    • Roles and responsibilities of each member
    • Decision-making responsibilities and process
    • How information will be shared and by whom
    • Ways to build psychological safety on the team

    This phase involves the following participants:

    • Leader of the team
    • All team members

    Document and agree to regular check-ins to reassess.

    As a team it will be important to drive your brainstormed solutions into an output that is co-created.

    • Agree to what actions can be implemented.
    • Capture agreed-to team goals, roles, responsibilities, and decision process into a team charter. Also include your communication protocol that articulates how information will be shared in future.
    1. Review suggestions and actions
    2. Capture in team charter
    3. Assign metrics to measure success and determine when to review
    4. Complete ongoing check-ins with team through team meeting and plan to reassess if agreed to

    Team Charter

    Never assume everyone "just knows."

    Set clear expectations for the team's interactions and behaviors.

    • Some teams call this a team agreement, team protocol, or ways of working. Determine the naming convention that works best for your team and culture.
    • This type of document saw a renewed popularity during COVID-19 as face-to-face interactions were more difficult, and as teams, news ways to work needed to be discovered, shared, and documented.
    • A co-created team charter is a critical component to onboarding new employees in the hybrid world.

    Info-Tech Insight – State of Hybrid Work in IT

    One contributor to the report shared the effort and intention around maintaining their culture during the pandemic. The team agreement created became a critical tool to enable conversations between leaders and their team – it was not a policy document.

    Team effectiveness is driven through thoughtful planned conversations. And it's a continued conversation.

    A screenshot of the IT Team Charter Template page

    Download the IT Team Charter Template

    Establish Baseline Metrics

    Baseline metrics will be improved through:

    Identify the impact that improved team effectiveness will have on the organization.
    Determine your baseline metrics to assess the success of your team interventions and demonstrate the impact to the rest of the organization using pre-determined goals and metrics.
    Share success stories through:

    • Newsletters or email announcements
    • Team meetings
    • Presentations to business partners or the organization

    Sample effectiveness improvement goal

    Sample Metric

    Increase employee engagement
    Increase overall employee engagement scores in the Employee Engagement survey by 5% by December 31, 2023.

    • Overall employee engagement

    Strengthen manager/employee relationships
    Increase manager driver scores in the Employee Engagement survey by 5% by December 31, 2023.

    • Employee engagement – manager driver
    • Employee engagement – senior leadership driver

    Reduce employee turnover (i.e. increase retention)
    Reduce voluntary turnover by 5% by December 31, 2023.

    • Voluntary turnover rate
    • Turnover by department or manager
    • Cost of turnover

    Increase organizational productivity
    Increase the value added by human capital by 5% by December 31, 2023.

    • Value added by human capital
    • Employee productivity
    • Human capital return on investment
    • Employee engagement

    Reassess team effectiveness

    Reassess and identify trends after they have worked on key focus areas for improvement.

    Track the team's progress by reassessing their effectiveness six to twelve months after the initial assessment.
    Identify if:

    • Team characteristics have changed.
    • Areas of team strengths are still a source of strength.
    • Areas for improvement have, in fact, improved.
    • There are opportunities for further improvement.

    As the team matures, priorities and areas of concern may shift; it is important to regularly reassess team effectiveness to ensure ongoing alignment and suitability.
    Note: It is not always necessary to conduct a full formal assessment; once teams become more effective and self-sufficient, informal check-ins by team leads will be sufficient.

    If you assess team effectiveness for multiple teams, you have the opportunity to identify trends:

    • Are there common challenges within teams?
    • If so, what are they?
    • How comfortable are teams with intervention?
    • How often is outside help required?

    Identifying these trends, initiatives, training, or tactics may be used to improve team effectiveness across the department – or even the organization.

    Teams are ultimately accountable for their own effectiveness.

    As teams mature, the team lead should become less involved in action planning. However, enabling truly effective teams takes significant time and resources from the team lead.

    Use the action plan created and agreed upon during the team meeting to hold teams accountable:

    • Ensure teams follow through on action items.
    • Ensure you are continuously assessing team effectiveness (formally or informally).

    The team coach should have a plan to transition into a supportive role by:

    • Providing teams with the knowledge, resources, and tools required to improve and sustain high effectiveness.
    • Providing team members and leads with a safe, open, and honest environment.
    • Stepping in as an objective third party when required.

    If the team continues to face barriers

    Other important information: If team effectiveness has not significantly improved, other interventions may be required that are beyond the scope of this project.

    The four factors outlined in the IDEA Model of team effectiveness are very important, but they are not the only things that have a positive or negative impact on teams. If attempts to improve the four factors have not resulted in the desired level of team effectiveness, evaluate other barriers:

    For organizational culture, ask if performance and reward programs do the following:

    • Value teamwork alongside individual achievement and competition
    • Provide incentives that promote a focus on individual performance over team performance
    • Reward or promote those who sabotage their teams

    For learning and development, ask:

    • Is team effectiveness included in our manager or leadership training?
    • Do we offer resources to employees seeking to improve their teamwork competencies?

    If an individual team member's or leader's performance is not meeting expectations, potential remedies include a performance improvement plan, reassignment, and termination of employment.

    These kinds of interventions are beyond the control of the team itself. In these cases, we recommend you consult with your HR department; HR professionals can be important advocates because they possess the knowledge, influence, and authority in the company to promote changes that support teamwork.

    Related Info-Tech Research

    Redesign Your IT Department

    • You could have the best IT employees in the world, but if they aren't structured well your organization will still fail in reaching its vision.
    • Increase the effectiveness of IT as a function.
    • Provide employees with clarity in their roles and responsibilities.

    Build an IT Employee Engagement Program

    • With the growing IT job market, turnover is a serious threat to IT's ability to deliver seamless value and continuously drive innovation.
    • Engagement initiatives are often seen as being HR's responsibility; however, IT leadership needs to take accountability for the retention and productivity of their employees in order to drive business value.

    Info-Tech Leadership Programs

    • Development of the leadership mind should never stop. This program will help IT leaders continue to craft their leadership competencies to navigate the ever-changing world in which we operate.
    • Actively delegate responsibilities and opportunities that engage and develop team members to build on current skills and prepare for the future.

    Research Contributors and Experts

    A picture of Carlene McCubbin

    Carlene McCubbin
    Practice Lead
    Info-Tech Research Group

    A picture of Nick Kozlo

    Nick Kozlo
    Senior Research Analyst
    Info-Tech Research Group

    A picture of Heather Leier-Murray

    Heather Leier-Murray
    Senior Research Analyst
    Info-Tech Research Group

    A picture of Stephen O'Conner

    Stephen O'Conner
    Executive Counselor
    Info-Tech Research Group

    A picture of Jane Kouptsova

    Jane Kouptsova
    Research Director
    Info-Tech Research Group

    Dr. Julie D. Judd, Ed.D.
    Chief Technology Officer
    Ventura County Office of Education

    Works Cited

    Aminov, I., A. DeSmet, and G. Jost. "Decision making in the age of urgency." McKinsey. April 2019. Accessed January 2023.
    Duhigg, Charles. "What Google Learned From Its Quest to Build the Perfect Team." The New York Times, 25 Feb. 2016. Accessed January 2023.
    Edmondson, Amy. "Psychological Safety and Learning Behavior in Work Teams." Administrative Science Quarterly, vol. 44, no. 2, June 1999, pp. 350-383.
    Gardner, Kate. "Julie Judd – Ventura County Office of Education." Toggle, 12 Sept. 2022. Accessed January 2023.
    Google People Operations. "Guide: Understand Team Effectiveness." reWork, n.d. Accessed February 2023.
    Harkins, Phil. "10 Leadership Techniques for Building High-Performing Teams." Linkage Inc., 2014. Accessed 10 April 2017.
    Heath, C. and D. Heath. Decision: How to make better choices in life and work. Random House, 2013, ISBN 9780307361141.
    Hill, Jon. "What is an Information Silo and How Can You Avoid It." Bloomfire, 23 March 2022. Accessed January 2023.
    "IT Team Management Software for Enhanced Productivity." Freshworks, n.d. Accessed January 2023.
    Jackson, Brian. "2022 Tech Trends." Info-Tech Research Group, 2022. Accessed December 2022.
    Kahneman, Daniel. Thinking fast and slow. Farrar, Straus and Giroux. 2011.
    Kouptsova, J., and A. Mathieson. "State of Hybrid Work in IT." Info-Tech Research Group, 2023. Accessed January 2023.
    Mayfield, Clifton, et al. "Psychological Collectivism and Team Effectiveness: Moderating Effects of Trust and Psychological Safety." Journal of Organizational Culture, Communications and Conflict, vol. 20, no. 1, Jan. 2016, pp. 78-94.
    Rock, David. "SCARF: A Brain-Based Model for Collaborating With and Influencing Others." NeuroLeadership Journal, 2008. Web.
    "The State of High Performing Teams in Tech Hypercontext." Hypercontext. 2022. Accessed November 2022.
    Weick, Carl, and Kathleen Sutcliff. Managing the unexpected. John Wiley & Sons, 2007.
    "Workplace Conflict Statistics: How we approach conflict at work." The Niagara Institute, August 2022. Accessed December 2022.

    IT Strategy

    • Buy Link or Shortcode: {j2store}20|cart{/j2store}
    • Related Products: {j2store}20|crosssells{/j2store}
    • Up-Sell: {j2store}20|upsells{/j2store}
    • member rating overall impact (scale of 10): 9.3/10
    • member rating average dollars saved: $105,465
    • member rating average days saved: 35
    • Parent Category Name: Strategy and Governance
    • Parent Category Link: strategy-and-governance
    Success depends on IT initiatives clearly aligned to business goals.

    Enter Into Mobile Development Without Confusion and Frustration

    • Buy Link or Shortcode: {j2store}282|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Mobile Development
    • Parent Category Link: /mobile-development
    • IT managers don’t know where to start when initiating a mobile program.
    • IT has tried mobile development in the past but didn't achieve success.
    • IT must initiate a mobile program quickly based on business priorities and needs a roadmap based on best practices.

    Our Advice

    Critical Insight

    • Form factors and mobile devices won't drive success – business alignment and user experience will. Don't get caught up with the latest features in mobile devices.
    • Software emulation testing is not true testing. Get on the device and run your tests.
    • Cross form-factor testing cannot be optimized to run in parallel. Therefore, anticipate longer testing cycles for cross form-factor testing.

    Impact and Result

    • Prepare your development, testing, and deployment teams for mobile development.
    • Get a realistic assessment of ROI for the launch of a mobile program.

    Enter Into Mobile Development Without Confusion and Frustration Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make the Case for a Mobile Program

    Understand the current mobile ecosystem. Use this toolkit to help you initiate a mobile development program.

    • Storyboard: Enter Into Mobile Development Without Confusion and Frustration

    2. Assess Your Dev Process for Readiness

    Review and evaluate your current application development process.

    3. Prepare to Execute Your Mobile Program

    Prioritize your mobile program based on your organization’s prioritization profile.

    • Mobile Program Tool

    4. Communicate with Stakeholders

    Summarize the execution of the mobile program.

    • Project Status Communication Worksheet
    [infographic]

    Workshop: Enter Into Mobile Development Without Confusion and Frustration

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Build your Future Mobile Development State

    The Purpose

    Understand the alignment of stakeholder objectives and priorities to mobile dev IT drivers.

    Assess readiness of your organization for mobile dev.

    Understand how to build your ideal mobile dev process.

    Key Benefits Achieved

    Identify and address the gaps in your existing app dev process.

    Build your future mobile dev state.

    Activities

    1.1 Getting started

    1.2 Assess your current state

    1.3 Establish your future state

    Outputs

    List of key stakeholders

    Stakeholder and IT driver mapping and assessment of current app dev process

    List of practices to accommodate mobile dev

    2 Prepare and Execute your Mobile Program

    The Purpose

    Assess the impact of mobile dev on your existing app dev process.

    Prioritize your mobile program.

    Understand the dev practice metrics to gauge success.

    Key Benefits Achieved

    Properly prepare for the execution of your mobile program.

    Calculate the ROI of your mobile program.

    Prioritize your mobile program with dependencies in mind.

    Build a communication plan with stakeholders.

    Activities

    2.1 Conduct an impact analysis

    2.2 Prepare to execute

    2.3 Communicate with stakeholders

    Outputs

    Impact analysis of your mobile program and expected ROI

    Mobile program order of execution and project dependencies mapping

    List of dev practice metrics

    Performance Measurement

    • Buy Link or Shortcode: {j2store}24|cart{/j2store}
    • Related Products: {j2store}24|crosssells{/j2store}
    • member rating overall impact (scale of 10): 9.0/10
    • member rating average dollars saved: $19,436
    • member rating average days saved: 23
    • Parent Category Name: Strategy and Governance
    • Parent Category Link: /strategy-and-governance
    Reinforce service orientation in your IT organization through IT metrics that make value-driven behavior happen..

    Knowledge Management

    • Buy Link or Shortcode: {j2store}33|cart{/j2store}
    • Related Products: {j2store}33|crosssells{/j2store}
    • member rating overall impact (scale of 10): 9.0/10
    • member rating average dollars saved: $10,000
    • member rating average days saved: 2
    • Parent Category Name: People and Resources
    • Parent Category Link: /people-and-resources
    Mitigate Key IT Employee Knowledge Loss

    Enterprise Architecture Trends

    • Buy Link or Shortcode: {j2store}584|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy & Operating Model
    • Parent Category Link: /strategy-and-operating-model
    • The digital transformation journey brings business and technology increasingly closer.
    • Because the two become more and more intertwined, the role of the enterprise architecture increases in importance, aligning the two in providing additional efficiencies.
    • The current need for an accelerated digital transformation elevates the importance of enterprise architecture.

    Our Advice

    Critical Insight

    • Enterprise architecture is impacted and has an increasing role in the following areas:
      • Business agility
      • Security
      • Innovation
      • Collaborative EA
      • Tools and automation

    Impact and Result

    EA’s role in brokering and negotiating overlapping areas can lead to the creation of additional efficiencies at the enterprise level.

    Enterprise Architecture Trends Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Enterprise Architecture Trends Deck – A trend report to support executives as they digitally transform the enterprise.

    In an accelerated path to digitization, the increasingly important role of enterprise architecture is one of collaboration across siloes, inside and outside the enterprise, in a configurable way that allows for quick adjustment to new threats and conditions, while embracing unprecedented opportunities to scale, stimulating innovation, in order to increase the organization’s competitive advantage.

    • Enterprise Architecture Trends Report

    Infographic

    Further reading

    Enterprise Architecture Trends

    Supporting Executives to Digitally Transform the Enterprise

    Analyst Perspective

    Enterprise architecture, seen as the glue of the organization, aligns business goals with all the other aspects of the organization, providing additional effectiveness and efficiencies while also providing guardrails for safety.

    In an accelerated path to digitization, the increasingly important role of enterprise architecture (EA) is one of collaboration across siloes, inside and outside the enterprise, in a configurable way that allows for quick adjustment to new threats and conditions while embracing unprecedented opportunities to scale, stimulating innovation to increase the organization’s competitive advantage.

    Photo of Milena Litoiu, Principal/Senior Director, Enterprise Architecture, Info-Tech Research Group.

    Milena Litoiu
    Principal/Senior Director, Enterprise Architecture
    Info-Tech Research Group

    Accelerated digital transformation elevates the importance of EA

    The Digital transformation journey brings Business and technology increasingly closer.

    Because the two become more and more intertwined, the role OF Enterprise Architecture increases in importance, aligning the two in providing additional efficiencies.

    THE Current need for an accelerated Digital transformation elevates the importance of Enterprise Architecture.

    More than 70% of organizations revamp their enterprise architecture programs. (Info-Tech Tech Trends 2022 Survey)

    Most organizations still see a significant gap between the business and IT.

    Enterprise Architecture (EA) is impacted and has an increasing role in the following areas

    Accelerated Digital Transformation

    • Business agility Business agility, needed more that ever, increases reliance on enterprise strategies.
      EA creates alignment between business and IT to improve business nimbleness.
    • Security More sophisticated attacks require more EA coordination.
      EA helps adjust to the increasing sophistication of external threats. Partnering with the CISO office to develop strategies to protect the enterprise becomes a prerequisite for survival.
    • Innovation EA's role in an innovation increases synergies at the enterprise level.
      EA plays an increasingly stronger role in innovation, from business endeavors to technology, across business units, etc.
    • Collaborative EA Collaborative EA requires new ways of working.
      Enterprise collaboration gains new meaning, replacing stiff governance.
    • Tools & automation Tools-based automation becomes increasingly common.
      Tools support as well as new artificial intelligence or machine- learning- powered approaches help achieve tools-assisted coordination across viewpoints and teams.

    Info-Tech Insight

    EA's role in brokering and negotiating overlapping areas can lead to the creation of additional efficiencies at the enterprise level.

    EA Enabling Business Agility

    Trend 01 — Business Agility is needed more than ever and THIS increases reliance on enterprise Strategies. to achieve nimbleness, organizations need to adapt timely to changes in the environment.

    Approaches:
    A plethora of approaches are needed (e.g. architecture modularity, data integration, AI/ML) in addition to other Agile/iterative approaches for the entire organization.

    Migrate to Office 365 Now

    • Buy Link or Shortcode: {j2store}292|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $19,928 Average $ Saved
    • member rating average days saved: 9 Average Days Saved
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications
    • As Microsoft continues to push Office 365, the transition to Office 365 has likely already been decided, but uncertainty surrounds the starting point and the best path forward.
    • The lack of a clear migration process that considers all the relevant risks and opportunities creates significant ambiguity around an Office 365 migration.
    • As organizations migrate to Office 365, the change in Office’s licensing structure presents obscurity in spending that could cost the business tens of thousands of unnecessary dollars spent if not approached strategically.
    • The fear of overlooking risks regarding the cloud, data, and existing infrastructure threatens to place IT in a position of project paralysis.

    Our Advice

    Critical Insight

    • Many businesses are opting for a one-size-fits-all licensing strategy. Without selecting licensing to suit actual user needs, you will oversupply users and overspend on licensing.
    • Jumping into an Office 365 migration project without careful thought of the risks of a cloud migration will lead to project halt and interruption. Intentionally plan in order to expose risk to develop project foresight for a smooth migration.
    • A migration to Office 365 represents a significant change in the way users interact with Office. Be careful not to forget about the user as you take on the project. Engage the users consistently for a smooth transition.

    Impact and Result

    • Start by evaluating the business, users, and infrastructure requirements to ensure that all needs are clearly defined and the best fit-for-purpose migration plan can be decided on.
    • Assess the underlying risk associated with a migration to the cloud and build mitigation strategies to counter risk or impending issues and identify project interruptions before they happen.
    • Build a roadmap through a logical step-by-step process to outline major milestones and develop a communication plan to engage users throughout the migration. Demonstrate IT’s due diligence by relaying the project findings and results back to the business using Info-Tech’s Office 365 migration plan.

    Migrate to Office 365 Now Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should migrate to Office 365 now, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Evaluate requirements and licensing

    Evaluate the business, user, and infrastructure requirements to ensure that all needs are clearly defined and the best fit-for-purpose migration plan can be decided on.

    • Migrate to Office 365 Now – Phase 1: Evaluate Requirements and Licensing
    • Office 365 Migration Plan Report
    • Office 365 Migration Workbook

    2. Mitigate key risks of the cloud

    Expose key cloud risks across five major areas and build mitigation strategies to counter risk and gain foresight for migration.

    • Migrate to Office 365 Now – Phase 2: Mitigate Key Risks of the Cloud

    3. Build the roadmap

    Outline major milestones of migration and build the communication plan to transition users smoothly. Complete the Office 365 migration plan report to present to business stakeholders.

    • Migrate to Office 365 Now – Phase 3: Build the Roadmap
    • End-User Engagement Template
    [infographic]

    Workshop: Migrate to Office 365 Now

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Evaluate Office 365 License Needs

    The Purpose

    Review corporate and project goals.

    Review and prioritize relevant services and applications to shape the migration path.

    Review Office 365 license models.

    Profile end users to rightsize licensing.

    Estimate dollar impact of new licensing model.

    Key Benefits Achieved

    Corporate goals for Office 365.

    Prioritized migration path of applications.

    Decision on user licensing structure.

    Projected cost of licensing.

    Activities

    1.1 Outline corporate and project goals to paint the starting line.

    1.2 Review and prioritize services.

    1.3 Rightsize licensing.

    Outputs

    Clear goals and metrics for migration

    Prioritized list of applications

    Effective licensing structure

    2 Assess Value, Readiness, and Risks

    The Purpose

    Conduct value and readiness assessment of current on-premises services.

    Identify and evaluate risks and challenges.

    Assess IT’s readiness to own and manage Office 365.

    Key Benefits Achieved

    Completed value and readiness assessment.

    Current targets for service and deployment models.

    List of perceived risks according to five major risk areas.

    Assessed IT’s readiness to own and manage Office 365.

    Established go/caution/stop for elected Office 365 services.

    Activities

    2.1 Assess value and readiness.

    2.2 Identify key risks.

    2.3 Identify changes in IT skills and roles.

    Outputs

    Cloud service appropriateness assessment

    Completed risk register

    Reorganization of IT roles

    3 Mitigate Risks

    The Purpose

    Review Office 365 risks and discuss mitigation strategies.

    Key Benefits Achieved

    Completed risks and mitigation strategies report.

    Activities

    3.1 Build mitigation strategies.

    3.2 Identify key service requests.

    3.3 Build workflows.

    Outputs

    Defined roles and responsibilities

    Assigned decision rights

    List of staffing gaps

    4 Build the Roadmap

    The Purpose

    Build a timeline of major milestones.

    Plan and prioritize projects to bridge gaps.

    Build a communication plan.

    Review Office 365 strategy and roadmap.

    Key Benefits Achieved

    Milestone roadmap.

    Critical path of milestone actions.

    Communication plan.

    Executive report.

    Activities

    4.1 Outline major milestones.

    4.2 Finalize roadmap.

    4.3 Build and refine the communication plan.

    Outputs

    Roadmap plotted projects, decisions, mitigations, and user engagements

    Finalized roadmap across timeline

    Communication and training plan

    Present Security to Executive Stakeholders

    • Buy Link or Shortcode: {j2store}262|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $2,000 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • There is a disconnect between security leaders and executive stakeholders on what information is important to present.
    • Security leaders find it challenging to convey the necessary information to obtain support for security objectives.
    • Changes to the threat landscape and shifts in organizational goals exacerbate the issue, as they impact security leaders' ability to prioritize topics to be communicated.
    • Security leaders struggle to communicate the importance of security to a non-technical audience.

    Our Advice

    Critical Insight

    Security presentations are not a one-way street. The key to a successful executive security presentation is having a goal for the presentation and ensuring that you have met your goal.

    Impact and Result

    • Developing a thorough understanding of the security communication goals.
    • Understanding the importance of leveraging highly relevant and understandable data.
    • Developing and delivering presentations that will keep your audience engaged and build trust with your executive stakeholders.

    Present Security to Executive Stakeholders Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Present Security to Executive Stakeholders – A step-by-step guide to communicating security effectively to obtain support from decision makers.

    Use this as a guideline to assist you in presenting security to executive stakeholders.

    • Present Security to Executive Stakeholders Storyboard

    2. Security Presentation Templates – A set of security presentation templates to assist you in communicating security to executive stakeholders.

    The security presentation templates are a set of customizable templates for various types of security presentation including:

    • Present Security to Executive Stakeholders Templates

    Infographic

    Further reading

    Present Security to Executive Stakeholders

    Learn how to communicate security effectively to obtain support from decision makers.

    Analyst Perspective

    Build and deliver an effective security communication to your executive stakeholders.

    Ahmad Jowhar

    As a security leader, you’re tasked with various responsibilities to ensure your organization can achieve its goals while its most important assets are being protected.

    However, when communicating security to executive stakeholders, challenges can arise in determining what topics are pertinent to present. Changes in the security threat landscape coupled with different business goals make identifying how to present security more challenging.

    Having a communication framework for presenting security to executive stakeholders will enable you to effectively identify, develop, and deliver your communication goals while obtaining the support you need to achieve your objectives.

    Ahmad Jowhar
    Research Specialist, Security & Privacy

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    • Many security leaders struggle to decide what to present and how to present security to executive stakeholders.
    • Constant changes in the security threat landscape impacts a security leader’s ability to prioritize topics to be communicated.
    • There is a disconnect between security leaders and executive stakeholders on what information is important to present.
    • Security leaders struggle to communicate the importance of security to a non-technical audience.
    • Developing a thorough understanding of security communication goals.
    • Understanding the importance of leveraging highly relevant and understandable data.
    • Developing and delivering presentations that will keep your audience engaged and build trust with your executive stakeholders.

    Info-Tech Insight

    Security presentations are not a one-way street. The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

    Your challenge

    As a security leader, you need to communicate security effectively to executive stakeholders in order to obtain support for your security objectives.

    • When it comes to presenting security to executive stakeholders, many security leaders find it challenging to convey the necessary information in order to obtain support for security objectives.
    • This is attributed to various factors, such as an increase in the threat landscape, changes to industry regulations and standards, and new organizational goals that security has to align with.
    • Furthermore, with the limited time to communicate with executive stakeholders, both in frequency and duration, identifying the most important information to address can be challenging.

    76% of security leaders struggle in conveying the effectiveness of a cybersecurity program.

    62% find it difficult to balance the risk of too much detail and need-to-know information.

    41% find it challenging to communicate effectively with a mixed technical and non-technical audience.

    Source: Deloitte, 2022

    Common obstacles

    There is a disconnect between security leaders and executive stakeholders when it comes to the security posture of the organization:

    • Executive stakeholders are not confident that their security leaders are doing enough to mitigate security risks.
    • The issue has been amplified, with security threats constantly increasing across all industries.
    • However, security leaders don’t feel that they are in a position to make themselves heard.
    • The lack of organizational security awareness and support from cross-functional departments has made it difficult to achieve security objectives (e.g. education, investments).
    • Defining an approach to remove that disconnect with executive stakeholders is of utmost importance for security leaders, in order to improve their organization’s security posture.

    9% of boards are extremely confident in their organization’s cybersecurity risk mitigation measures.

    77% of organizations have seen an increase in the number of attacks in 2021.

    56% of security leaders claimed their team is not involved when leadership makes urgent security decisions.

    Source: EY, 2021
    The image contains a screenshot of an Info-Tech Thoughtmodel titled: Presenting Security to Executive Stakeholders.

    Info-Tech’s methodology for presenting security to executive stakeholders

    1. Identify communication goals

    2. Collect information to support goals

    3. Develop communication

    4. Deliver communication

    Phase steps

    1. Identify drivers for communicating to executives
    2. Define your goals for communicating to executives
    1. Identify data to collect
    2. Plan how to retrieve data
    1. Plan communication
    2. Build a compelling communication document
    1. Deliver a captivating presentation
    2. Obtain/verify goals

    Phase outcomes

    A defined list of drivers and goals to help you develop your security presentations

    A list of data sources to include in your communication

    A completed communication template

    A solidified understanding of how to effectively communicate security to your stakeholders

    Develop a structured process for communicating security to your stakeholders

    Security presentations are not a one-way street
    The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

    Identifying your goals is the foundation of an effective presentation
    Defining your drivers and goals for communicating security will enable you to better prepare and deliver your presentation, which will help you obtain your desired outcome.

    Harness the power of data
    Leveraging data and analytics will help you provide quantitative-based communication, which will result in a more meaningful and effective presentation.

    Take your audience on a journey
    Developing a storytelling approach will help engage with your audience.

    Win your audience by building a rapport
    Establishing credibility and trust with executive stakeholders will enable you to obtain their support for security objectives.

    Tactical insight
    Conduct background research on audience members (i.e. professional background) to help understand how best to communicate with them and overcome potential objections.

    Tactical insight
    Verifying your objectives at the end of the communication is important, as it ensures you have successfully communicated to executive stakeholders.

    Project deliverables

    This blueprint is accompanied by a supporting deliverable which includes five security presentation templates.

    Report on Security Initiatives
    Template showing how to inform executive stakeholders of security initiatives.

    Report on Security Initiatives.

    Security Metrics
    Template showing how to inform executive stakeholders of current security metrics that would help drive future initiatives.

    Security Metrics.

    Security Incident Response & Recovery
    Template showing how to inform executive stakeholders of security incidents, their impact, and the response plan.

    Security Incident Response & Recovery

    Security Funding Request
    Template showing how to inform executive stakeholders of security incidents, their impact, and the response plan.

    Security Funding Request

    Key template:

    Security and Risk Update

    Template showing how to inform executive stakeholders of proactive security and risk initiatives.

    Blueprint benefits

    IT/InfoSec benefits

    Business benefits

    • Reduce effort and time spent preparing cybersecurity presentations for executive stakeholders by having templates to use.
    • Enable security leaders to better prepare what to present and how to present it to their executive stakeholders, as well as driving the required outcomes from those presentations.
    • Establish a best practice for communicating security and IT to executive stakeholders.
    • Gain increased awareness of cybersecurity and the impact executive stakeholders can have on improving an organization’s security posture.
    • Understand how security’s alignment with the business will enable the strategic growth of the organization.
    • Gain a better understanding of how security and IT objectives are developed and justified.

    Measure the value of this blueprint

    Phase

    Measured Value (Yearly)

    Phase 1: Identify communication goals

    Cost to define drivers and goals for communicating security to executives:

    16 FTE hours @ $233K* =$1,940

    Phase 2: Collect information to support goals

    Cost to collect and synthesize necessary data to support communication goals:

    16 FTE hours @ $233K = $1,940

    Phase 3: Develop communication

    Cost to develop communication material that will contextualize information being shown:

    16 FTE hours @ $233K = $1,940

    Phase 4: Deliver communication

    Potential Savings:

    Total estimated effort = $5,820

    Our blueprint will help you save $5,820 and over 40 FTE hours

    * The financial figure depicts the annual salary of a CISO in 2022

    Source: Chief Information Security Officer Salary.” Salary.com, 2022

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Phase 1

    Identify communication goals

    Phase 1 Phase 2 Phase 3 Phase 4

    1.1 Identify drivers for communicating to executives

    1.2 Define your goals for communicating to executives

    2.1 Identify data to collect

    2.2 Plan how to retrieve data

    3.1 Plan communication

    3.2 Build a compelling communication document

    4.1 Deliver a captivating presentation

    4.2 Obtain/verify support for security goals

    This phase will walk you through the following activities:

    • Understanding the different drivers for communicating security to executive stakeholders
    • Identifying different communication goals

    This phase involves the following participants:

    • Security leader

    1.1. Identify drivers for communicating to executive stakeholders

    As a security leader, you meet with executives and stakeholders with diverse backgrounds, and you aim to showcase your organization’s security posture along with its alignment with the business’ goals.

    However, with the constant changes in the security threat landscape, demands and drivers for security could change. Thus, understanding potential drivers that will influence your communication will assist you in developing and delivering an effective security presentation.

    39% of organizations had cybersecurity on the agenda of their board’s quarterly meeting.

    Source: EY, 2021.

    Info-Tech Insight

    Not all security presentations are the same. Keep your communication strategy and processes agile.

    Know your drivers for security presentations

    By understanding the influences for your security presentations, you will be able to better plan what to present to executive stakeholders.

    • These meetings, which are usually held once per quarter, provide you with less than one hour of presentation time.
    • Hence, it is crucial to know why you need to present security and whether these drivers are similar across the other presentations.

    Understanding drivers will also help you understand how to present security to executive stakeholders.

    • These drivers will shape the structure of your presentation and help determine your approach to communicating your goals.
    • For example, financial-based presentations that are driven by budget requests might create a sense of urgency or assurance about investment in a security initiative.

    Identify your communication drivers, which can stem from various initiatives and programs, including:

    • Results from internal or external audit reports.
    • Upcoming budget meetings.
    • Briefing newly elected executive stakeholders on security.

    When it comes to identifying your communication drivers, you can collaborate with subject matter experts, like your corporate secretary or steering committees, to ensure the material being communicated will align with some of the organizational goals.

    Examples of drivers for security presentations

    Audit
    Upcoming internal or external audits might require updates on the organization’s compliance

    Organizational restructuring
    Restructuring within an organization could require security updates

    Merger & Acquisition
    An M&A would trigger presentations on organization’s current and future security posture

    Cyber incident
    A cyberattack would require an immediate presentation on its impact and the incident response plan

    Ad hoc
    Provide security information requested by stakeholders

    1.2. Define your goals for communicating to executives

    After identifying drivers for your communication, it’s important to determine what your goals are for the presentation.

    • Communication drivers are mainly triggers for why you want to present security.
    • Communication goals are the potential outcomes you are hoping to obtain from the presentation.
    • Your communication goals would help identify what data and metrics to include in your presentation, the structure of your communication deck, and how you deliver your communication to executive stakeholders.

    Identifying your communication goals could require the participation of the security team, IT leadership, and other business stakeholders.

    • As a group, brainstorm the security goals that align with your business goals for the coming year.
      • Aim to have at least two business goals that align with each security goal.
    • Identify what benefits and value the executive stakeholders will gain from the security goal being presented.
      • E.g. Increased security awareness, updates on organization's security posture.
    • Identify what the ask is for this presentation.
      • E.g. Approval for increasing budget to support security initiatives, executive support to implement internal security programs.

    Info-Tech Insight

    There can be different reasons to communicate security to executive stakeholders. You need to understand what you want to get out of your presentation.

    Examples of security presentation goals

    Educate
    Educate the board on security trends and/or latest risks in the industry

    Update
    Provide updates on security initiatives, relevant security metrics, and compliance posture

    Inform
    Provide an incident response plan due to a security incident or deliver updates on current threats and risks

    Investment
    Request funding for security investments or financial updates on past security initiatives

    Ad hoc
    Provide security information requested by stakeholders

    Phase 2

    Collect information to support goals

    Phase 1Phase 2Phase 3Phase 4

    1.1 Identify drivers for communicating to executives

    1.2 Define your goals for communicating to executives

    2.1 Identify data to collect

    2.2 Plan how to retrieve data

    3.1 Plan communication

    3.2 Build a compelling communication document

    4.1 Deliver a captivating presentation

    4.2 Obtain/verify support for security goals

    This phase will walk you through the following activities:

    • Understanding what types of data to include in your security presentations
    • Defining where and how to retrieve data

    This phase involves the following participants:

    • Security leader
    • Network/security analyst

    2.1 Identify data to collect

    After identifying drivers and goals for your communication, it’s important to include the necessary data to justify the information being communicated.

    • Leveraging data and analytics will assist in providing quantitative-based communication, which will result in a more meaningful and effective presentation.
    • The data presented will showcase the visibility of an organization’s security posture along with potential risks and figures on how to mitigate those risks.
    • Providing analysis of the quantitative data presented will also showcase further insights on the figures, allow the audience to better understand the data, and show its relevance to the communication goals.

    Identifying data to collect doesn’t need to be a rigorous task; you can follow these steps to help you get started:

    • Work with your security team to identify the main type of data applicable to the communication goals.
      • E.g. Financial data would be meaningful to use when communicating a budget presentation.
    • Identify supporting data linked to the main data defined.
      • E.g. If a financial investment is made to implement a security initiative, then metrics on improvements to the security posture will be relevant.
    • Show how both the main and supporting data align with the communication goals.
      • E.g. Improvement in security posture would increase alignment with regulation standards, which would result in additional contracts being awarded and increased revenue.

    Info-Tech Insight

    Understand how to present your information in a way that will be meaningful to your audience, for instance by quantifying security risks in financial terms.

    Examples of data to present

    Educate
    Number of organizations in industry impacted by data breaches during past year; top threats and risks affecting the industries

    Update
    Degree of compliance with standards (e.g. ISO-27001); metrics on improvement of security posture due to security initiatives

    Inform
    Percentage of impacted clients and disrupted business functions; downtime; security risk likelihood and financial impact

    Investment
    Capital and operating expenditure for investment; ROI on past and future security initiatives

    Ad hoc
    Number of security initiatives that went over budget; phishing test campaign results

    2.2 Plan how to retrieve the data

    Once the data that is going to be used for the presentation has been identified, it is important to plan how the data can be retrieved, processed, and shared.

    • Most of the data leveraged for security presentations are structured data, which are highly organized data that are often stored in a relational and easily searchable database.
      • This includes security log reports or expenditures for ongoing and future security investments.
    • Retrieving the data, however, would require collaboration and cooperation from different team members.
    • You would need to work with the security team and other appropriate stakeholders to identify where the data is stored and who the data owner is.

    Once the data source and owner has been identified, you need to plan how the data would be processed and leveraged for your presentation

    • This could include using queries to retrieve the relevant information needed (e.g. SQL, Microsoft Excel).
    • Verify the accuracy and relevance of the data with other stakeholders to ensure it is the most appropriate data to be presented to the executive stakeholders.

    Info-Tech Insight

    Using a data-driven approach to help support your objectives is key to engaging with your audience.

    Plan where to retrieve the data

    Identifying the relevant data sources to retrieve your data and the appropriate data owner enables efficient collaboration between departments collecting, processing, and communicating the data and graphics to the audience.

    Examples of where to retrieve your data

    Data Source

    Data

    Data Owner

    Communication Goal

    Audit & Compliance Reports

    Percentage of controls completed to be certified with ISO 27001; Number of security threats & risks identified.

    Audit Manager;

    Compliance Manager;

    Security Leader

    Ad hoc, Educate, Inform

    Identity & Access Management (IAM) Applications

    Number of privileged accounts/department; Percentage of user accounts with MFA applied

    Network/Security Analyst

    Ad hoc, Inform, Update

    Security Information & Event Management (SIEM)

    Number of attacks detected and blocked before & after implementing endpoint security; Percentage of firewall rules that triggered a false positive

    Network/Security Analyst

    Ad hoc, Inform, Update

    Vulnerability Management Applications

    Percentage of critical vulnerabilities patched; Number of endpoints encrypted

    Network/Security Analyst

    Ad hoc, Inform, Update

    Financial & Accounting Software

    Capital & operating expenditure for future security investments; Return on investment (ROI) on past and current security investments

    Financial and/or Accounting Manager

    Ad hoc, Educate, Investments

    Phase 3

    Develop communication

    Phase 1Phase 2Phase 3Phase 4

    1.1 Identify drivers for communicating to executives

    1.2 Define your goals for communicating to executives

    2.1 Identify data to collect

    2.2 Plan how to retrieve data

    3.1 Plan communication

    3.2 Build a compelling communication document

    4.1 Deliver a captivating presentation

    4.2 Obtain/verify support for security goals

    This phase will walk you through the following activities:

    • Identifying a communication strategy for presenting security
    • Identifying security templates that are applicable to your presentation

    This phase involves the following participants:

    • Security leader

    3.1 Plan communication: Know who your audience is

    • When preparing your communication, it's important to understand who your target audience is and to conduct background research on them.
    • This will help develop your communication style and ensure your presentation caters to the expected audience in the room.

    Examples of two profiles in a boardroom

    Formal board of directors

    The executive team

    • In the private sector, this will include an appointed board of shareholders and subcommittees external to the organization.
    • In the public sector, this can include councils, commissions, or the executive team itself.
    • In government, this can include mayors, ministers, and governors.
    • The board’s overall responsibility is governance.
    • This audience will include your boss and your peers internal to the organization.
    • This category is primarily involved in the day-to-day operations of the organization and is responsible for carrying out the strategic direction set by the board.
    • The executive team’s overall responsibility is operations.

    3.1.1 Know what your audience cares about

    • Understanding what your executive stakeholders value will equip you with the right information to include in your presentations.
    • Ensure you conduct background research on your audience to assist you in knowing what their potential interests are.
    • Your background research could include:
      • Researching the audience’s professional background through LinkedIn.
      • Reviewing their comments from past executive meetings.
      • Researching current security trends that align with organizational goals.
    • Once the values and risks have been identified, you can document them in notes and share the notes with subject matter experts to verify if these values and risks should be shared in the coming meetings.

    A board’s purpose can include the following:

    • Sustaining and expanding the organization’s purpose and ability to execute in a competitive market.
    • Determining and funding the organization’s future and direction.
    • Protecting and increasing shareholder value.
    • Protecting the company’s exposure to risks.

    Examples of potential values and risks

    • Business impact
    • Financial impact
    • Security and incidents

    Info-Tech Insight
    Conduct background research on audience members (e.g. professional background on LinkedIn) to help understand how best to communicate to them and overcome potential objections.

    Understand your audience’s concerns

    • Along with knowing what your audience values and cares about, understanding their main concerns will allow you to address those items or align them with your communication.
    • By treating your executive stakeholders as your project sponsors, you would build a level of trust and confidence with your peers as the first step to tackling their concerns.
    • These concerns can be derived from past stakeholder meetings, recent trends in the industry, or strategic business alignments.
    • After capturing their concerns, you’ll be equipped with the necessary understanding on what material to include and prioritize during your presentations.

    Examples of potential concerns for each profile of executive stakeholders

    Formal board of directors

    The executive team

    • Business impact (What is the impact of IT in solving business challenges?)
    • Investments (How will it impact organization’s finances and efficiency?)
    • Cybersecurity and risk (What are the top cybersecurity risks, and how is IT mitigating those risks to the business?)
    • Business alignment (How do IT priorities align to the business strategy and goals?)
    • IT operational efficiency (How is IT set up for success with foundational elements of IT’s operational strategy?)
    • Innovation & transformation priorities (How is IT enabling the organization’s competitive advantage and supporting transformation efforts as a strategic business partner?)

    Build your presentation to tackle their main concerns

    Your presentation should be well-rounded and compelling when it addresses the board’s main concerns about security.

    Checklist:

    • Research your target audience (their backgrounds, board composition, dynamics, executive team vs. external group).
    • Include value and risk language in your presentation to appeal to your audience.
    • Ensure your content focuses on one or more of the board’s main concerns with security (e.g. business impact, investments, or risk).
    • Include information about what is in it for them and the organization.
    • Research your board’s composition and skillsets to determine their level of technical knowledge and expertise. This helps craft your presentation with the right amount of technology vs. business-facing information.

    Info-Tech Insight
    The executive stakeholder’s main concerns will always boil down to one important outcome: providing a level of confidence to do business through IT products, services, and systems – including security.

    3.1.2 Take your audience through a security journey

    • Once you have defined your intended target and their potential concerns, developing the communication through a storytelling approach will be the next step to help build a compelling presentation.
    • You need to help your executive stakeholders make sense of the information being conveyed and allow them to understand the importance of cybersecurity.
    • Taking your audience through a story will allow them to see the value of the information being presented and better resonate with its message.
    • You can derive insights for your storytelling presentation by doing the following:
      • Provide a business case scenario on the topic you are presenting.
      • Identify and communicate the business problem up front and answer the three questions (why, what, how).
      • Quantify the problems in terms of business impact (money, risk, value).

    Info-Tech Insight
    Developing a storytelling approach will help keep your audience engaged and allow the information to resonate with them, which will add further value to the communication.

    Identify the purpose of your presentation

    You should be clear about your bottom line and the intent behind your presentation. However, regardless of your bottom line, your presentation must focus on what business problems you are solving and why security can assist in solving the problem.

    Examples of communication goals

    To inform or educate

    To reach a decision

    • In this presentation type, it is easy for IT leaders to overwhelm a board with excessive or irrelevant information.
    • Focus your content on the business problem and the solution proposed.
    • Refrain from too much detail about the technology – focus on business impact and risk mitigated. Ask for feedback if applicable.
    • In this presentation type, there is a clear ask and an action required from the board of directors.
    • Be clear about what this decision is. Once again, don’t lead with the technology solution: Start with the business problem you are solving, and only talk about technology as the solution if time permits.
    • Ensure you know who votes and how to garner their support.

    Info-Tech Insight
    Nobody likes surprises. Communicate early and often. The board should be pre-briefed, especially if it is a difficult subject. This also ensures you have support when you deliver a difficult message.

    Gather the right information to include in your boardroom presentation

    Once you understand your target audience, it’s important to tailor your presentation material to what they will care about.

    Typical IT boardroom presentations include:

    • Communicating the value of ongoing business technology initiatives.
    • Requesting funds or approval for a business initiative that IT is spearheading.
    • Security incident response/Risk/DRP.
    • Developing a business program or an investment update for an ongoing program.
    • Business technology strategy highlights and impacts.
    • Digital transformation initiatives (value, ROI, risk).

    Info-Tech Insight
    You must always have a clear goal or objective for delivering a presentation in front of your board of directors. What is the purpose of your board presentation? Identify your objective and outcome up front and tailor your presentation’s story and contents to fit this purpose.

    Info-Tech Insight
    Telling a good story is not about the message you want to deliver but the one the executive stakeholders want to hear. Articulate what you want them to think and what you want them to take away, and be explicit about it in your presentation. Make your story logically flow by identifying the business problem, complication, the solution, and how to close the gap. Most importantly, communicate the business impacts the board will care about.

    Structure your presentation to tell a logical story

    To build a strong story for your presentation, ensure you answer these three questions:

    WHY

    Why is this a business issue, or why should the executive stakeholders care?

    WHAT

    What is the impact of solving the problem and driving value for the company?

    HOW

    How will we leverage our resources (technology, finances) to solve the problem?

    Examples:

    Scenario 1: The company has experienced a security incident.

    Intent: To inform/educate the board about the security incident.

    WHY

    The data breach has resulted in a loss of customer confidence, negative brand impact, and a reduction in revenue of 30%.

    WHAT

    Financial, legal, and reputational risks identified, and mitigation strategies implemented. IT is working with the PR team on communications. Incident management playbook executed.

    HOW

    An analysis of vulnerabilities was conducted and steps to address are in effect. Recovery steps are 90% completed. Incident management program reviewed for future incidents.

    Scenario 2: Security is recommending investments based on strategic priorities.

    Intent: To reach a decision with the board – approve investment proposal.

    WHY

    The new security strategy outlines two key initiatives to improve an organization’s security culture and overall risk posture.

    WHAT

    Security proposed an investment to implement a security training & phishing test campaign, which will assist in reducing data breach risks.

    HOW

    Use 5% of security’s budget to implement security training and phishing test campaigns.

    Time plays a key role in delivering an effective presentation

    What you include in your story will often depend on how much time you have available to deliver the message.

    Consider the following:

    • Presenting to executive stakeholders often means you have a short window of time to deliver your message. The average executive stakeholder presentation is 15 minutes, and this could be cut short due to other unexpected factors.
    • If your presentation is too long, you risk overwhelming or losing your audience. You must factor in the time constraints when building your board presentation.
    • Your executive stakeholders have a wealth of experience and knowledge, which means they could jump to conclusions quickly based on their own experiences. Ensure you give them plenty of background information in advance. Provide your presentation material, a brief, or any other supporting documentation before the meeting to show you are well prepared.
    • Be prepared to have deep conversations about the topic, but respect that the executive stakeholders might not be interested in hearing the tactical information. Build an elevator pitch, a one-pager, back-up slides that support your ask and the story, and be prepared to answer questions within your allotted presentation time to dive deeper.

    Navigating through Q&A

    Use the Q&A portion to build credibility with the board.

    • It is always better to say, “I’m not certain about the answer but will follow up,” than to provide false or inaccurate information on the spot.
    • When asked challenging or irrelevant questions, ensure you have an approach to deflect them. Questions can often be out of scope or difficult to answer in a group. Find what works for you to successfully navigate through these questions:
      • “Let’s work with the sub-committee to find you an answer.”
      • “Let’s take that offline to address in more detail.”
      • “I have some follow-up material I can provide you to discuss that further after our meeting.”
    • And ensure you follow up! Make sure to follow through on your promise to provide information or answers after the meeting. This helps build trust and credibility with the board.

    Info-Tech Insight
    The average board presentation is 15 minutes long. Build no more than three or four slides of content to identify the business problem, the business impacts, and the solution. Leave five minutes for questions at the end, and be prepared with back-up slides to support your answers.

    Storytelling checklist

    Checklist:

    • Tailor your presentation based on how much time you have.
    • Find out ahead of time how much time you have.
    • Identify if your presentation is to inform/educate or reach a decision.
    • Identify and communicate the business problem up front and answer the three questions (why, what, how).
    • Express the problem in terms of business impact (risk, value, money).
    • Prepare and send pre-meeting collateral to the members of the board and executive team.
    • Include no more than 5-6 slides for your presentation.
    • Factor in Q&A time at the end of your presentation window.
    • Articulate what you want them to think and what you want them to take away – put it right up front and remind them at the end.
    • Have an elevator speech handy – one or two sentences and a one-pager version of your story.
    • Consider how you will build your relationship with the members outside the boardroom.

    3.1.3 Build a compelling communication document

    Once you’ve identified your communication goals, data, and plan to present to your stakeholders, it’s important to build the compelling communication document that will attract all audiences.

    A good slide design increases the likelihood that the audience will read the content carefully.

    • Bad slide structure (flow) = Audience loses focus
      • You can have great content on a slide, but if a busy audience gets confused, they’ll just close the file or lose focus. Structure encompasses horizontal and vertical logic.
    • Good visual design = Audience might read more
      • Readers will probably skim the slides first. If the slides look ugly, they will already have a negative impression. If the slides are visually appealing, they will be more inclined to read carefully. They may even use some slides to show others.
    • Good content + Good structure + Visual appeal = Good presentation
      • A presentation is like a house. Good content is the foundation of the house. Good structure keeps the house strong. Visual appeal differentiates houses.

    Slide design best practices

    Leverage these slide design best practices to assist you in developing eye-catching presentations.

    • Easy to read: Assume reader is tight on time. If a slide looks overwhelming, the reader will close the document.
    • Concise and clear: Fewer words = more skim-able.
    • Memorable: Use graphics and visuals or pithy quotes whenever you can do so appropriately.
    • Horizontal logic: Good horizontal logic will have slide titles that cascade into a story with no holes or gaps.
    • Vertical logic: People usually read from left to right, top to bottom, or in a Z pattern. Make sure your slide has an intuitive flow of content.
    • Aesthetics: People like looking at visually appealing slides, but make sure your attempts to create visual appeal do not detract from the content.

    Your presentation must have a logical flow

    Horizontal logic

    Vertical logic

    • Horizontal logic should tell a story.
    • When slide titles are read in a cascading manner, they will tell a logical and smooth story.
    • Title & tagline = thesis (best insight).
    • Vertical logic should be intuitive.
    • Each step must support the title.
    • The content you intend to include within each slide is directly applicable to the slide title.
    • One main point per slide.

    Vertical logic should be intuitive

    The image contains a screenshot example of a bad design layout for a slide. The image contains a screenshot example of a good design layout for a slide.

    The audience is unsure where to look and in what order.

    The audience knows to read the heading first. Then look within the pie chart. Then look within the white boxes to the right.

    Horizontal and vertical logic checklists

    Horizontal logic

    Vertical logic

    • List your slide titles in order and read through them.
    • Good horizontal logic should feel like a story. Incomplete horizontal logic will make you pause or frown.
    • After a self-test, get someone else to do the same exercise with you observing them.
    • Note at which points they pause or frown. Discuss how those points can be improved.
    • Now consider each slide title proposed and the content within it.
    • Identify if there is a disconnect in title vs. content.
    • If there is a disconnect, consider changing the title of the slide to appropriately reflect the content within it, or consider changing the content if the slide title is an intended path in the story.

    Make it easy to read

    The image contains a screenshot that demonstrates an uneasy to read slide. The image contains a screenshot that demonstrates an easy to read slide.
    • Unnecessary coloring makes it hard on the eyes
    • Margins for title at top is too small
    • Content is not skim-able (best to break up the slide)

    Increase skim-ability:

    • Emphasize the subheadings
    • Bold important words

    Make it easier on the eyes:

    • Declutter and add sections
    • Have more white space

    Be concise and clear

    1. Write your thoughts down
      • This gets your content documented.
      • Don’t worry about clarity or concision yet.
    2. Edit for clarity
      • Make sure the key message is very clear.
      • Find your thesis statement.
    3. Edit for concision
      • Remove unnecessary words.
      • Use the active voice, not passive voice (see below for examples).

    Passive voice

    Active voice

    “There are three things to look out for” (8 words)

    “Network security was compromised by hackers” (6 words)

    “Look for these three things” (5 words)

    “Hackers compromised network security” (4 words)

    Be memorable

    The image contains a screenshot of an example that demonstrates a bad example of how to be memorable. The image contains a screenshot of an example that demonstrates a good example of how to be memorable.

    Easy to read, but hard to remember the stats.

    The visuals make it easier to see the size of the problem and make it much more memorable.

    Remember to:

    • Have some kind of visual (e.g. graphs, icons, tables).
    • Divide the content into sections.
    • Have a bit of color on the page.

    Aesthetics

    The image contains a screenshot of an example of bad aesthetics. The image contains a screenshot of an example of good aesthetics.

    This draft slide is just content from the outline document on a slide with no design applied yet.

    • Have some kind of visual (e.g. graphs, icons, tables) as long as it’s appropriate.
    • Divide the content into sections.
    • Have a bit of color on the page.
    • Bold or italicize important text.

    Why use visuals?

    How graphics affect us

    Cognitively

    • Engage our imagination
    • Stimulate the brain
    • Heighten creative thinking
    • Enhance or affect emotions

    Emotionally

    • Enhance comprehension
    • Increase recollection
    • Elevate communication
    • Improve retention

    Visual clues

    • Help decode text
    • Attract attention
    • Increase memory

    Persuasion

    • 43% more effective than text alone
    Source: Management Information Systems Research Center

    Presentation format

    Often stakeholders prefer to receive content in a specific format. Make sure you know what you require so that you are not scrambling at the last minute.

    • Is there a standard presentation template?
    • Is a hard-copy handout required?
    • Is there a deadline for draft submission?
    • Is there a deadline for final submission?
    • Will the presentation be circulated ahead of time?
    • Do you know what technology you will be using?
    • Have you done a dry run in the meeting room?
    • Do you know the meeting organizer?

    Checklist to build compelling visuals in your presentation

    Leverage this checklist to ensure you are creating the perfect visuals and graphs for your presentation.

    Checklist:

    • Do the visuals grab the audience’s attention?
    • Will the visuals mislead the audience/confuse them?
    • Do the visuals facilitate data comparison or highlight trends and differences in a more effective manner than words?
    • Do the visuals present information simply, cleanly, and accurately?
    • Do the visuals display the information/data in a concentrated way?
    • Do the visuals illustrate messages and themes from the accompanying text?

    3.2 Security communication templates

    Once you have identified your communication goals and plans for building your communication document, you can start building your presentation deck.

    These presentation templates highlight different security topics depending on your communication drivers, goals, and available data.

    Info-Tech has created five security templates to assist you in building a compelling presentation.

    These templates provide support for presentations on the following five topics:

    • Security Initiatives
    • Security & Risk Update
    • Security Metrics
    • Security Incident Response & Recovery
    • Security Funding Request

    Each template provides instructions on how to use it and tips on ensuring the right information is being presented.

    All the templates are customizable, which enables you to leverage the sections you need while also editing any sections to your liking.

    The image contains screenshots of the Security Presentation Templates.

    Download the Security Presentation Templates

    Security template example

    It’s important to know that not all security presentations for an organization are alike. However, these templates would provide a guideline on what the best practices are when communicating security to executive stakeholders.

    Below is an example of instructions to complete the “Security Risk & Update” template. Please note that the security template will have instructions to complete each of its sections.

    The image contains a screenshot of the Executive Summary slide. The image contains a screenshot of the Security Goals & Objectives slide.

    The first slide following the title slide includes a brief executive summary on what would be discussed in the presentation. This includes the main security threats that would be addressed and the associated risk mitigation strategies.

    This slide depicts a holistic overview of the organization’s security posture in different areas along with the main business goals that security is aligning with. Ensure visualizations you include align with the goals highlighted.

    Security template example (continued)

    The image contains a screenshot example of the Top Threats & Risks. The image contains a screenshot example of the Top Threats & Risks.

    This slide displays any top threats and risks an organization is facing. Each threat consists of 2-3 risks and is prioritized based on the negative impact it could have on the organization (i.e. red bar = high priority; green bar = low priority). Include risks that have been addressed in the past quarter, and showcase any prioritization changes to those risks.

    This slide follows the “Top Threats & Risks” slide and focuses on the risks that had medium or high priority. You will need to work with subject matter experts to identify risk figures (likelihood, financial impact) that will enable you to quantify the risks (Likelihood x Financial Impact). Develop a threshold for each of the three columns to identify which risks require further prioritization, and apply color coding to group the risks.

    Security template example (continued)

    The image contains a screenshot example of the slide, Risk Analysis. The image contains a screenshot example of the slide, Risk Mitigation Strategies & Roadmap.

    This slide showcases further details on the top risks along with their business impact. Be sure to include recommendations for the risks and indicate whether further action is required from the executive stakeholders.

    The last slide of the “Security Risk & Update” template presents a timeline of when the different initiatives to mitigate security risks would begin. It depicts what initiatives will be completed within each fiscal year and the total number of months required. As there could be many factors to a project’s timeline, ensure you communicate to your executive stakeholders any changes to the project.

    Phase 4

    Deliver communication

    Phase 1Phase 2Phase 3Phase 4

    1.1 Identify drivers for communicating to executives

    1.2 Define your goals for communicating to executives

    2.1 Identify data to collect

    2.2 Plan how to retrieve data

    3.1 Plan communication

    3.2 Build a compelling communication document

    4.1 Deliver a captivating presentation

    4.2 Obtain/verify support for security goals

    This phase will walk you through the following activities:

    • Identifying a strategy to deliver compelling presentations
    • Ensuring you follow best practices for communicating and obtaining your security goals

    This phase involves the following participants:

    • Security leader

    4.1 Deliver a captivating presentation

    You’ve gathered all your data, you understand what your audience is expecting, and you are clear on the outcomes you require. Now, it’s time to deliver a presentation that both engages and builds confidence.

    Follow these tips to assist you in developing an engaging presentation:

    • Start strong: Give your audience confidence that this will be a good investment of their time. Establish a clear direction for what’s going to be covered and what the desired outcome is.
    • Use your time wisely: Odds are, your audience is busy, and they have many other things on their minds. Be prepared to cover your content in the time allotted and leave sufficient time for discussion and questions.
    • Be flexible while presenting: Do not expect that your presentation will follow the path you have laid out. Anticipate jumping around and spending more or less time than you had planned on a given slide.

    Keep your audience engaged with these steps

    • Be ready with supporting data. Don’t make the mistake of not knowing your content intimately. Be prepared to answer questions on any part of it. Senior executives are experts at finding holes in your data.
    • Know your audience. Who are you presenting to? What are their specific expectations? Are there sensitive topics to be avoided? You can’t be too prepared when it comes to understanding your audience.
    • Keep it simple. Don’t assume that your audience wants to learn the details of your content. Most just want to understand the bottom line, the impact on them, and how they can help. More is not always better.
    • Focus on solving issues. Your audience members have many of their own problems and issues to worry about. If you show them how you can help make their lives easier, you’ll win them over.

    Info-Tech Insight
    Establishing credibility and trust with executive stakeholders is important to obtaining their support for security objectives.

    Be honest and straightforward with your communication

    • Be prepared. Being properly prepared means not only that your update will deliver the value that you expect, but also that you will have confidence and the flexibility you require when you’re taken off track.
    • Don’t sugarcoat it. These are smart, driven people that you are presenting to. It is neither beneficial nor wise to try to fool them. Be open and transparent about problems and issues. Ask for help.
    • No surprises. An executive stakeholder presentation is not the time or the place for a surprise. Issues seen as unexpected or contentious should always be dealt with prior to the meeting with those most impacted.

    Hone presentation skills before meeting with the executive stakeholders

    Know your environment

    Be professional but not boring

    Connect with your audience

    • Your organization has standards for how people are expected to dress at work. Make sure that your attire meets this standard – don’t be underdressed.
    • Think about your audience – would they appreciate you starting with a joke, or do they want you to get to the point as quickly as possible?
    • State the main points of your presentation confidently. While this should be obvious, it is essential. Your audience should be able to clearly see that you believe the points you are stating.
    • Present with lots of energy, smile, and use hand gestures to support your speech.
    • Look each member of the audience in the eye at least once during your presentation. Avoid looking at the ceiling, the back wall, or the floor. Your audience should feel engaged – this is essential to keeping their attention on you.
    • Never read from your slides. If there is text on a slide, paraphrase it while maintaining eye contact.

    Checklist for presentation logistics

    Optimize the timing of your presentation:

    • Less is more: Long presentations are detrimental to your cause – they lead to your main points being diluted. Keep your presentation short and concise.
    • Keep information relevant: Only present information that is important to your audience. This includes the information that they are expecting to see and information that connects to the business.
    • Expect delays: Your audience will likely have questions. While it is important to answer each question fully, it will take away from the precious time given to you for your presentation. Expect that you will not get through all the information you have to present.

    Script your presentation:

    • Use a script to stay on track: Script your presentation before the meeting. A script will help you present your information in a concise and structured manner.
    • Develop a second script: Create a script that is about half the length of the first script but still contains the most important points. This will help you prepare for any delays that may arise during the presentation.
    • Prepare for questions: Consider questions that may be asked and script clear and concise answers to each.
    • Practice, practice, practice: Practice your presentation until you no longer need the script in front of you.

    Checklist for presentation logistics (continued)

    Other considerations:

    • After the introduction of your presentation, clearly state the objective – don’t keep people guessing and consequently lose focus on your message.
    • After the presentation is over, document important information that came up. Write it down or you may forget it soon after.
    • Rather than create a long presentation deck full of detailed slides that you plan to skip over during the presentation, create a second, compact deck that contains only the slides you plan to present. Send out the longer deck after the presentation.

    Checklist for delivering a captivating presentation

    Leverage this checklist to ensure you are prepared to develop and deliver an engaging presentation.

    Checklist:

    • Start with a story or something memorable to break the ice.
    • Go in with the end state in mind (focus on the outcome/end goal and work back from there) – What’s your call to action?
    • Content must compliment your end goal, filter out any content that doesn’t compliment the end goal.
    • Be prepared to have less time to speak. Be prepared with shorter versions of your presentation.
    • Include an appendix with supporting data, but don’t be data heavy in your presentation. Integrate the data into a story. The story should be your focus.

    Checklist for delivering a captivating presentation (continued)

    • Be deliberate in what you want to show your audience.
    • Ensure you have clean slides so the audience can focus on what you’re saying.
    • Practice delivering your content multiple times alone and in front of team members or your Info-Tech counselor, who can provide feedback.
    • How will you handle being derailed? Be prepared with a way to get back on track if you are derailed.
    • Ask for feedback.
    • Record yourself presenting.

    4.2 Obtain and verify support on security goals

    Once you’ve delivered your captivating presentation, it’s imperative to communicate with your executive stakeholders.

    • This is your opportunity to open the floor for questions and clarify any information that was conveyed to your audience.
    • Leverage your appendix and other supporting documents to justify your goals.
    • Different approaches to obtaining and verifying your goals could include:
      • Acknowledgment from the audience that information communicated aligns with the business’s goals.
      • Approval of funding requests for security initiatives.
      • Written and verbal support for implementation of security initiatives.
      • Identifying next steps for information to communicate at the next executive stakeholder meeting.

    Info-Tech Insight
    Verifying your objectives at the end of the presentation is important, as it ensures you have successfully communicated to executive stakeholders.

    Checklist for obtaining and verify support on security goals

    Follow this checklist to assist you in obtaining and verifying your communication goals.

    Checklist:

    • Be clear about follow-up and next steps if applicable.
    • Present before you present: Meet with your executive stakeholders before the meeting to review and discuss your presentation and other supporting material and ensure you have executive/CEO buy-in.
    • “Be humble, but don’t crumble” – demonstrate to the executive stakeholders that you are an expert while admitting you don’t know everything. However, don’t be afraid to provide your POV and defend it if need be. Strike the right balance to ensure the board has confidence in you while building a strong relationship.
    • Prioritize a discussion over a formal presentation. Create an environment where they feel like they are part of the solution.

    Summary of Accomplishment

    Problem Solved

    A better understanding of security communication drivers and goals

    • Understanding the difference between communication drivers and goals
    • Identifying your drivers and goals for security presentation

    A developed a plan for how and where to retrieve data for communication

    • Insights on what type of data can be leveraged to support your communication goals
    • Understanding who you can collaborate with and potential data sources to retrieve data from

    A solidified communication plan with security templates to assist in better presenting to your audience

    • A guideline on how to prepare security presentations to executive stakeholders
    • A list of security templates that can be customized and used for various security presentations

    A defined guideline on how to deliver a captivating presentation to achieve your desired objectives

    • Clear message on best practices for delivering security presentations to executive stakeholders
    • Understanding how to verify your communication goals have been obtained

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Related Info-Tech Research

    Build an Information Security Strategy
    This blueprint will walk you through the steps of tailoring best practices to effectively manage information security.

    Build a Security Metrics Program to Drive Maturity
    This blueprint will assist you in identifying security metrics that can tie to your organizational goals and build those metrics to achieve your desired maturity level.

    Bibliography

    Bhadauriya, Amit S. “Communicating Cybersecurity Effectively to the Board.” Metricstream. Web.
    Booth, Steven, et al. “The Biggest Mistakes Made When Presenting Cyber Security to Senior Leadership or the Board, and How to Fix Them.” Mandiant, May 2019. Web.
    Bradford, Nate. “6 Slides Every CISO Should Use in Their Board Presentation.” Security Boulevard, 9 July 2020. Web.
    Buckalew, Lauren, et al. “Get the Board on Board: Leading Cybersecurity from the Top Down.” Newsroom, 2 Dec. 2019. Web.
    Burg, Dave, et al. “Cybersecurity: How Do You Rise above the Waves of a Perfect Storm?” EY US - Home, EY, 22 July 2021. Web.
    Carnegie Endowment for International Peace. Web.
    “Chief Information Security Officer Salary.” Salary.com, 2022. Web.
    “CISO's Guide to Reporting to the Board - Apex Assembly.” CISO's Guide To Reporting to the Board. Web.
    “Cyber Security Oversight in the Boardroom” KPMG, Jan. 2016. Web.
    “Cybersecurity CEO: My 3 Tips for Presenting in the Boardroom.” Cybercrime Magazine, 31 Mar. 2020. Web.
    Dacri , Bryana. Do's & Don'ts for Security Professionals Presenting to Executives. Feb. 2018. Web.
    Froehlich, Andrew. “7 Cybersecurity Metrics for the Board and How to Present Them: TechTarget.” Security, TechTarget, 19 Aug. 2022. Web.
    “Global Board Risk Survey.” EY. Web.
    “Guidance for CISOs Presenting to the C-Suite.” IANS, June 2021. Web.
    “How to Communicate Cybersecurity to the Board of Directors.” Cybersecurity Conferences & News, Seguro Group, 12 Mar. 2020. Web.
    Ide, R. William, and Amanda Leech. “A Cybersecurity Guide for Directors” Dentons. Web.
    Lindberg, Randy. “3 Tips for Communicating Cybersecurity to the Board.” Cybersecurity Software, Rivial Data Security, 8 Mar. 2022. Web.
    McLeod, Scott, et al. “How to Present Cybersecurity to Your Board of Directors.” Cybersecurity & Compliance Simplified, Apptega Inc, 9 Aug. 2021. Web.
    Mickle, Jirah. “A Recipe for Success: CISOs Share Top Tips for Successful Board Presentations.” Tenable®, 28 Nov. 2022. Web.
    Middlesworth, Jeff. “Top-down: Mitigating Cybersecurity Risks Starts with the Board.” Spiceworks, 13 Sept. 2022. Web.
    Mishra, Ruchika. “4 Things Every CISO Must Include in Their Board Presentation.” Security Boulevard, 17 Nov. 2020. Web.
    O’Donnell-Welch, Lindsey. “CISOs, Board Members and the Search for Cybersecurity Common Ground.” Decipher, 20 Oct. 2022. Web.

    Bibliography

    “Overseeing Cyber Risk: The Board's Role.” PwC, Jan. 2022. Web.
    Pearlson, Keri, and Nelson Novaes Neto. “7 Pressing Cybersecurity Questions Boards Need to Ask.” Harvard Business Review, 7 Mar. 2022. Web.
    “Reporting Cybersecurity Risk to the Board of Directors.” Web.
    “Reporting Cybersecurity to Your Board - Steps to Prepare.” Pondurance ,12 July 2022. Web.
    Staynings, Richard. “Presenting Cybersecurity to the Board.” Resource Library. Web.
    “The Future of Cyber Survey.” Deloitte, 29 Aug. 2022. Web.
    “Top Cybersecurity Metrics to Share with Your Board.” Packetlabs, 10 May 2022. Web.
    Unni, Ajay. “Reporting Cyber Security to the Board? How to Get It Right.” Cybersecurity Services Company in Australia & NZ, 10 Nov. 2022. Web.
    Vogel, Douglas, et al. “Persuasion and the Role of Visual Presentation Support.” Management Information Systems Research Center, 1986.
    “Welcome to the Cyber Security Toolkit for Boards.” NCSC. Web.

    Research Contributors

    • Fred Donatucci, New-Indy Containerboard, VP, Information Technology
    • Christian Rasmussen, St John Ambulance, Chief Information Officer
    • Stephen Rondeau, ZimVie, SVP, Chief Information Officer

    Build a Strategic IT Workforce Plan

    • Buy Link or Shortcode: {j2store}390|cart{/j2store}
    • member rating overall impact (scale of 10): 9.6/10 Overall Impact
    • member rating average dollars saved: $180,171 Average $ Saved
    • member rating average days saved: 19 Average Days Saved
    • Parent Category Name: Organizational Design
    • Parent Category Link: /organizational-design
    • Talent has become a competitive differentiator. To 46% of business leaders, workforce planning is a top priority – yet only 13% do it effectively.
    • CIOs aren’t sure what they need to give the organization a competitive edge or how current staffing line-ups fall short.

    Our Advice

    Critical Insight

    • A well defined strategic workforce plan (SWP) isn’t just a nice-to-have, it’s a must-have.
    • Integrate as much data as possible into your workforce plan to best prepare you for the future. Without knowledge of your future initiatives, you are filling hypothetical holes.
    • To be successful, you need to understand your strategic initiatives, workforce landscape, and external and internal trends.

    Impact and Result

    The workforce planning process does not need to be onerous, especially with help from Info-Tech’s solid planning tools. With the right people involved and enough time invested, developing an SWP will be easier than first thought and time well spent. Leverage Info-Tech’s client-tested 5-step process to build a strategic workforce plan:

    1. Build a project charter
    2. Assess workforce competency needs
    3. Identify impact of internal and external trends
    4. Identify the impact of strategic initiatives on roles
    5. Build and monitor the workforce plan

    Build a Strategic IT Workforce Plan Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a strategic workforce plan for IT, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Initiate the project

    Assess the value of a strategic workforce plan and the IT department’s fit for developing one, and then structure the workforce planning project.

    • Build a Strategic Workforce Plan – Phase 1: Initiate the Project
    • IT Strategic Workforce Planning Project Charter Template
    • IT Strategic Workforce Planning Project Plan Template

    2. Analyze workforce needs

    Gather and analyze workforce needs based on an understanding of the relevant internal and external trends, and then produce a prioritized plan of action.

    • Build a Strategic Workforce Plan – Phase 2: Analyze Workforce Needs
    • Workforce Planning Workbook

    3. Build the workforce plan

    Evaluate workforce priorities, plan specific projects to address them, and formalize and integrate strategic workforce planning into regular planning processes.

    • Build a Strategic Workforce Plan – Phase 3: Build and Monitor the SWP
    [infographic]

    Workshop: Build a Strategic IT Workforce Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Project Goals, Metrics, and Current State

    The Purpose

    Develop a shared understanding of the challenges your organization is facing with regards to talent and workforce planning.

    Key Benefits Achieved

    An informed understanding of whether or not you need to develop a strategic workforce plan for IT.

    Activities

    1.1 Identify goals, metrics, and opportunities

    1.2 Segment current roles

    1.3 Identify organizational culture

    1.4 Assign job competencies

    1.5 Assess current talent

    Outputs

    Identified goals, metrics, and opportunities

    Documented organizational culture

    Aligned competencies to roles

    Identified current talent competency levels

    2 Assess Workforce and Analyze Trends

    The Purpose

    Perform an in-depth analysis of how internal and external trends are impacting the workforce.

    Key Benefits Achieved

    An enhanced understanding of the current talent occupying the workforce.

    Activities

    2.1 Assess environmental trends

    2.2 Identify impact on workforce requirements

    2.3 Identify how trends are impacting critical roles

    2.4 Explore viable options

    Outputs

    Complete internal trends analysis

    Complete external trends analysis

    Identified internal and external trends on specific IT roles

    3 Perform Gap Analysis

    The Purpose

    Identify the changing competencies and workforce needs of the future IT organization, including shortages and surpluses.

    Key Benefits Achieved

    Determined impact of strategic initiatives on workforce needs.

    Identification of roles required in the future organization, including surpluses and shortages.

    Identified projects to fill workforce gaps.

    Activities

    3.1 Identify strategic initiatives

    3.2 Identify impact of strategic initiatives on roles

    3.3 Determine workforce estimates

    3.4 Determine projects to address gaps

    Outputs

    Identified workforce estimates for the future

    List of potential projects to address workforce gaps

    4 Prioritize and Plan

    The Purpose

    Prepare an action plan to address the critical gaps identified.

    Key Benefits Achieved

    A prioritized plan of action that will fill gaps and secure better workforce outcomes for the organization.

    Activities

    4.1 Determine and prioritize action items

    4.2 Determine a schedule for review of initiatives

    4.3 Integrate workforce planning into regular planning processes

    Outputs

    Prioritized list of projects

    Completed workforce plan

    Identified opportunities for integration

    Improve Service Desk Ticket Intake

    • Buy Link or Shortcode: {j2store}481|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk

    • Customers expect a consumer experience with IT. It won’t be long until this expectation expands to IT service support.
    • Messaging and threads are becoming central to how businesses organize information and conversations, but voice isn’t going away. It is still by far people’s favorite channel.
    • Tickets are becoming more complicated. BYOD, telework, and SaaS products present a perfect storm.
    • Traditional service metrics are not made for self service. Your mean-time-to-resolve will increase and first-contact resolution will decrease.

    Our Advice

    Critical Insight

    • Bring the service desk to the people. Select channels that are most familiar to your users, and make it as easy possible to talk to a human.
    • Integrate channels. Users should have a consistent experience, and technicians should know user history.
    • Don’t forget the human aspect. People aren’t always good with technology. Allow them to contact a person if they are struggling.

    Impact and Result

    • Define which channels will be prioritized.
    • Identify improvements to these channels based on best practices and our members’ experiences.
    • Streamline your ticket intake process to remove unnecessary steps.
    • Prioritize improvements based on their value. Implement a set of improvements every quarter.

    Improve Service Desk Ticket Intake Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should improve your ticket intake, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define and prioritize ticket channels

    Align your improvements with business goals and the shift-left strategy.

    • Improve Service Desk Ticket Intake – Phase 1: Define and Prioritize Ticket Channels
    • Service Desk Maturity Assessment
    • Service Desk Improvement Presentation Template

    2. Improve ticket channels

    Record potential improvements in your CSI Register, as you review best practices for each channel.

    • Improve Service Desk Ticket Intake – Phase 2: Improve Ticket Channels
    • Service Desk Continual Improvement Roadmap
    • Service Desk Ticket Intake Workflow Samples (Visio)
    • Service Desk Ticket Intake Workflow Samples (PDF)
    • Service Definition Checklist
    • Service Desk Site Visit Checklist Template

    3. Define next steps

    Streamline your ticket intake process and prioritize opportunities for improvement.

    • Improve Service Desk Ticket Intake – Phase 3: Define Next Steps
    [infographic]

    Workshop: Improve Service Desk Ticket Intake

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Optimize Ticket Channels

    The Purpose

    Brainstorm improvements to your systems and processes that will help you optimize.

    Key Benefits Achieved

    Develop a single point of contact.

    Reduce the time before a technician can start productively working on a ticket.

    Enable Tier 1 and end users to complete more tickets.

    Activities

    1.1 Prioritize channels for improvement.

    1.2 Optimize the voice channel.

    1.3 Identify improvements for self service.

    1.4 Improve Tier 1 agents’ access to information.

    1.5 Optimize supplementary ticket channels.

    Outputs

    Action items to improve the voice channel.

    Populated CSI Register for self-service channels.

    Identified action items for the knowledgebase.

    Populated CSI Register for additional ticket channels.

    2 Streamline Ticket Intake

    The Purpose

    Create long-term growth by taking a sustainable approach to improvements.

    Key Benefits Achieved

    Streamline your overall ticket intake process for incidents and service requests.

    Activities

    2.1 Map out the incident intake processes.

    2.2 Identify opportunities to streamline the incident workflow.

    2.3 Map out the request processes.

    2.4 Identify opportunities to streamline the request workflow.

    Outputs

    Streamlined incident intake process.

    Streamlined request intake process.

    Populated CSI Register for request intake.

    Looking at Risk in a New Light: The Six Pillars of Vendor Risk Management

    • Buy Link or Shortcode: {j2store}209|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    • Moreso than at any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.
    • It is increasingly likely that one of an organization's vendors, or their n-party support vendors, will cause an incident. Organizations must protect themselves by creating better mechanisms to hold their n-party vendors accountable and validate that they comply.

    Our Advice

    Critical Insight

    • Identifying and managing a vendor’s potential risk impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect your organization.
    • Organizational leadership is often taken unaware by changes, and their plans lack the flexibility to adjust to significant regulatory upheavals.

    Impact and Result

    • Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them.
    • Prioritize and classify your vendors with quantifiable, standardized rankings.
    • Prioritize focus on your high-risk vendors.
    • Standardize your processes for identifying and monitoring vendor risks with our Comprehensive Risk Impact Tool to manage potential impacts.

    Looking at Risk in a New Light: The Six Pillars of Vendor Risk Management Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Looking at Risk in a New Light: The Six Pillars of Vendor Risk Management – Use the research to better understand the negative impacts of vendor actions to your organization

    Use this research to identify and quantify the potential risk impacts caused by vendors. Utilize Info-Tech's approach to look at the impact from various perspectives to better prepare for issues that may arise.

    • Looking at Risk in a New Light: The Six Pillars of Vendor Risk Management Storyboard

    2. Comprehensive Risk Impact Tool – Use this tool to help identify and quantify the impacts of negative vendor actions.

    By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    • Comprehensive Risk Impact Tool
    [infographic]

    Further reading

    Looking at Risk in a New Light: The Six Pillars of Vendor Risk Management

    Approach vendor risk impact assessments from all perspectives.

    Analyst Perspective

    Organizations must comprehensively understand the impacts vendors may cause through different potential actions.

    Frank Sewell

    The risks from the vendor market have become more prevalent as the technologies and organizational strategies shift to a global direction. With this shift in risk comes a necessary perspective change to align with the greater likelihood of an incident occurring from vendors' (or one of their downstream support vendor's) negative actions.

    Organizational leadership must become more aware of the increasing risks that engaging vendors impose. To do so, they need to make informed decisions, which can only be provided by engaging expert resources in their organizations to compile a comprehensive look at potential risk impacts.

    Frank Sewell

    Research Director, Vendor Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    More so than at any other time, our world is changing. As a result organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.

    It is increasingly likely that one of your vendors, or their n-party support vendors, will cause an incident. Organizations must protect themselves by creating better mechanisms to hold their n-party vendors accountable and validate that they comply.

    Common Obstacles

    Identifying and managing a vendor’s potential risk impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect your organization.

    Organizational leadership is often taken unaware by changes, and their plans lack the flexibility to adjust to significant regulatory upheavals.

    Info-Tech's Approach

    Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them.

    Prioritize and classify your vendors with quantifiable, standardized rankings.

    Prioritize focus on your high-risk vendors.

    Standardize your processes for identifying and monitoring vendor risks with our Comprehensive Risk Impact Tool to manage potential impacts.

    Info-Tech Insight

    Organizations must evolve their risk assessments to be more adaptive to respond to changes in the global market. Ongoing monitoring and continual assessment of vendors’ risks is crucial to avoiding negative impacts.

    Info-Tech’s multi-blueprint series on vendor risk assessment

    There are many individual components of vendor risk beyond cybersecurity.`

    6 components of vendor risk beyond cybersecurity.  Financial, Reputational, Operational, Strategic, Security, Regulatory & Compliance.

    This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

    Out of Scope:
    This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

    The world is constantly changing

    The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

    When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

    Below are some things no one expected to happen in the last few years:

    62%

    of IT professionals are more concerned about being a victim of ransomware than they were a year ago.

    Info-Tech Tech Trends Survey 2022

    82%

    of Microsoft non-essential employees shifted to working from home in 2020, joining the 18% already remote.

    Info-Tech Tech Trends Survey 2022

    89%

    of organizations invested in web conferencing technology to facilitate collaboration.

    Info-Tech Tech Trends Survey 2022

    Looking at Risk in a New Light:

    the 6 Pillars of Vendor Risk Management

    Vendor Risk

    • Financial

    • Strategic

    • Operational

    • Security

    • Reputational

    • Regulatory

    • Organizations must review their risk appetite and tolerance levels, considering their complete landscape.
    • Changing regulations, acquisitions, and events that affect global supply chains are current realities, not unlikely scenarios.
    • Prepare your vendor risk management for success using due diligence and scenario- based “What If” discussions to bring all the relevant parties to the table and educate your whole organization on risk factors.
    Assessing Financial Risk Impacts

    Strategic risks on a global scale

    Odds are at least one of these is currently affecting your strategic plans

    • Vendor Acquisitions
    • Global Pandemic
    • Global Shortages
    • Gas Prices
    • Poor Vendor Performance
    • Travel Bans
    • War
    • Natural Disasters
    • Supply Chain Disruptions
    • Security Incidents

    Make sure you have the right people at the table to identify and plan to manage impacts.

    Assess internal and external operational risk impacts

    Two sides of the same coin

    Internal

    • Poorly vetted supplemental staff
    • Bad system configurations
    • Lack of relevant skills
    • Poor vendor performance
    • Failure to follow established processes
    • Weak contractual accountability
    • Unsupportable or end-of-life system components

    External

    • Cyberattacks
    • Supply Chain Issues
    • Geo-Political Disruptions
    • Vendor Acquisitions
    • N-Party Non-Compliance
    • Vendor Fraud

    Operational risk is the risk of losses caused by flawed or failed processes, policies, systems, or events that disrupt business operations.

    Identify and manage security risk impacts on your organization

    Due diligence will enable successful outcomes

    • Poor vendor performance
    • Vendor acquisition
    • Supply chain disruptions and shortages
    • N-party risk
    • Third-party risk

    What your vendor associations say about you

    Reputations that affect your brand: Bad customer reviews, breach of data, poor security posture, negative news articles, public lawsuits, poor performance.

    Regulatory compliance

    Consider implementing vendor management initiatives and practices in your organization to help gain compliance with your expanding vendor landscape.

    Your organizational risks may be monitored but are your n-party vendors?

    6 components of vendor risk beyond cybersecurity.  Financial, Reputational, Operational, Strategic, Security, Regulatory & Compliance.

    Review your expectations with your vendors and hold them accountable

    Regulatory entities are looking beyond your organization’s internal compliance these days. Instead, they are more and more diving into your third-party and downstream relationships, particularly as awareness of downstream breaches increases globally.

    • Are you assessing your vendors regularly?
    • Are you validating those assessments?
    • Do your vendors have a map of their downstream support vendors?
    • Do they have the mechanisms to hold those downstream vendors accountable to your standards?

    Identify and manage risks

    Regulatory

    Regulatory agencies are putting more enforcement around ESG practices across the globe. As a result, organizations will need to monitor the changing regulations and validate that their vendors and n-party support vendors are adhering to these regulations or face penalties for non-compliance.

    Security-Data protection

    Data protection remains an issue. Organizations should ensure that the data their vendors obtain remains protected throughout the vendor’s lifecycle, including post-termination. Otherwise, they could be monitoring for a data breach in perpetuity.

    Mergers and acquisitions

    More prominent vendors continuously buy smaller companies to control the market in the IT industry. Organizations should put protections in their contracts to ensure that an IT vendor’s acquisition does not put them in a relationship with someone that could cause them an issue.

    Identify and manage risks

    Poor vendor performance

    Consider the impact of a vendor that fails to perform midway through the implementation. Organizations need to be able to manage the impact of replacing that vendor and cutting their losses rather than continuing to throw good money away after bad performance.

    Supply chain disruptions and global shortages

    Geopolitical disruptions and natural disasters have caused unprecedented interruptions to business. Incorporate forecasting of product and ongoing business continuity planning into your strategic plans to adapt as events unfold.

    Poorly configured systems

    Failing to ensure that your vendor-supported systems are properly configured and that your vendors are meeting your IT change control and configuration standards is more commonplace than expected. Proper oversight and management of your support vendors is crucial to ensure they are meeting expectations in this regard.

    What to look for

    Identify potential risk impacts

    • Is there a record of complaints against the vendor from their employees or customers?
    • Is the vendor financially sound, with the resources to support your needs?
    • Has the vendor been cited for regulatory compliance issues in the past?
    • Does the vendor have a comprehensive list of their n-party vendor partners?
      • Are they willing to accept appropriate contractual protections regarding them?
    • Does the vendor self-audit, or do they use a vetted third-party audit firm to issue a SOC report annually?
    • Does the vendor operate in regions known for instability?
    • Is the vendor willing to make concessions on contractual protections, or are they only offering one-sided agreements with as-is warranties?

    Prepare your vendor risk management for success

    Due diligence will enable successful outcomes.

    1. Obtain top-level buy-in; it is critical to success.
    2. Build enterprise risk management (ERM) through incremental improvement.
    3. Focus initial efforts on the “big wins” to prove the process works.
    4. Use existing resources.
    5. Build on any risk management activities that already exist in the organization.
    6. Socialize ERM throughout the organization to gain additional buy-in.
    7. Normalize the process long term with ongoing updates and continuing education for the organization.
    8. (Adapted from COSO)

    How to assess third-party risk

    1. Review organizational risks

      Understand the organizations risks to prepare for the “What If” game exercise.
    2. Identify and understand potential risks

      Play the “What If” game with the right people at the table.
    3. Create a risk profile packet for leadership

      Pull all the information together in a presentation document.
    4. Validate the risks

      Work with leadership to ensure that the proposed risks are in line with their thoughts.
    5. Plan to manage the risks

      Lower the overall risk potential by putting mitigations in place.
    6. Communicate the plan

      It is important not only to have a plan but also to socialize it in the organization for awareness.
    7. Enact the plan

      Once the plan is finalized and socialized, put it in place with continued monitoring for success.

    Adapted from Harvard Law School Forum on Corporate Governance

    Insight summary

    Risk impacts often come from unexpected places and have significant consequences.

    Knowing who your vendors are using for their support and supply chain could be crucial in eliminating the risk of non-compliance for your organization.

    Having a plan to identify and validate the regulatory compliance of your vendors is a must for any organization to avoid penalties.

    Insight 1

    Organizations’ strategic plans need to be adaptable to avoid vendors’ negative actions causing an expedited shift in priorities.

    For example, Philips’ recall of ventilators impacted its products and the availability of its competitors’ products as demand overwhelmed the market.

    Insight 2

    Organizations often fail to understand how n-party vendors could place them in non-compliance.

    Even if you know your complete third-party vendor landscape, you may not be aware of the downstream vendors in play. Ensure that you get visibility into this space as well, and hold your direct vendors accountable for the actions of their vendors.

    Insight 3

    Organizations need to know where their data lives and ensure it is protected.

    Make sure you know which vendors are accessing/storing your data, where they are keeping it, and that you can get it back and have the vendors destroy it when the relationship is over. Without adequate protections throughout the lifecycle of the vendor, you could be monitoring for breaches in perpetuity.

    Insight summary

    Assessing financial impacts is an ongoing, educative, and collaborative multidisciplinary process that vendor management initiatives are uniquely designed to coordinate and manage for organizations.

    Operational risk impacts often come from unexpected places and have unforeseen impacts. Knowing where your vendors place in critical business processes and those vendors' business continuity plans concerning your organization should be a priority for those managing the vendors.

    Insight 4

    Organizations need to learn how to assess the likelihood of potential risks in the rapidly changing online environments and recognize how their partnerships and subcontractors’ actions can affect their brand.

    For example, do you understand how a simple news article raises your profile for short-term and long-term adverse events?

    Insight 5

    Organizations fail to plan for vendor acquisitions appropriately.

    Vendors routinely get acquired in the IT space. Does your organization have appropriate safeguards from inadvertently entering a negative relationship? Do you have plans for replacing critical vendors purchased in such a manner?

    Insight 6

    Vendors are becoming more and more crucial to organizations’ overall operations, and most organizations have a poor understanding of the potential impacts they represent.

    Is your vendor solvent? Do they have enough staff to accommodate your needs? Has their long-term planning been affected by changes in the market? Are they unique in their space?

    Identifying vendor risk

    Who should be included in the discussion?

    • While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
    • Getting input from operational experts at your organization will enhance your business's long-term potential for success.
    • Involving those who directly manage vendors and understand the market will aid operational experts in determining the forward path for relationships with your current vendors and identifying emerging potential strategic partners.
    • Make sure security, risk, and compliance are all at the table. These departments all look at risk from different angles for the business and give valuable insight collectively.
    • Organizations have a wealth of experience in their marketing departments that can help identify real-world scenarios of negative actions.

    See the blueprint Build an IT Risk Management Program

    Review your risk management plans for new risks on a regular basis.

    Keep in mind Risk =
    Likelihood x Impact

    (R=L*I).

    Impact (I) tends to remain the same, while Likelihood (L) is becoming closer to 100% as threat actors become more prevalent.

    Managing vendor risk impacts

    How could your vendors impact your organization?

    • Review vendors’ downstream connections to understand thoroughly who you are in business with
    • Institute continuous vendor lifecycle management
    • Develop IT risk governance and change control
    • Introduce continual risk assessment to monitor the relevant vendor markets
    • Monitor and schedule contract renewals and new service/module negotiations
    • Perform business alignment meetings to reassess relationships
    • Ensure strategic alignment in contracts
    • Review vendors’ business continuity plans and disaster recovery testing
    • Re-evaluate corporate policies frequently
    • Monitor your company’s and associated vendors’ online presence
    • Be adaptable and allow for innovations that arise from the current needs
      • Capture lessons learned from prior incidents to improve over time, and adjust your plans accordingly

    Organizations must review their risk appetite and tolerance levels, considering their complete landscape.

    Changing regulations, acquisitions, new security issues, and events that affect global supply chains are current realities, not unlikely scenarios.

    Ongoing Improvement

    Incorporating lessons learned.

    • Over time, despite everyone’s best observations and plans, incidents will catch us off guard.
    • When that happens, follow your incident response plans and act accordingly.
    • An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
    • Use the lessons learned document to devise, incorporate, and enact a better risk management process.

    Sometimes disasters occur despite our best plans to manage them.

    When this happens, it is important to document the lessons learned and improve our plans going forward.

    The "what if" game

    1-3 hours

    Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    1. Break into smaller groups (if too small, continue as a single group).
    2. Use the Comprehensive Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
    3. Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

    Download the Comprehensive Risk Impact Tool

    Input

    • List of identified potential risk scenarios scored by impact
    • List of potential mitigations of the scenarios to reduce the risk

    Output

    • Comprehensive risk profile on the specific vendor solution

    Materials

    • Whiteboard/flip charts
    • Comprehensive Risk Impact Tool to help drive discussion

    Participants

    • Vendor Management – Coordinator
    • Organizational Leadership
    • Operations Experts (SMEs)
    • Business Process Experts
    • Legal/Compliance/Risk Manager

    High risk example from tool

    High risk example from Tool.  Shows sample questions to ask to identify impacts, their associated score, weight, and comments or notes.

    Note: Even though a few items are “scored” they have not been added to the overall weight, signaling that the company has noted but does not necessarily hold them against the vendor.

    How to mitigate:

    • Contractually insist that the vendor have a third-party security audit performed annually with the stipulation that they will not denigrate below your acceptable standards.
    • At renewal negotiate better contractual terms and protections for your organization.

    Low risk example from tool

    Low risk example from Tool.  Shows sample questions to ask to identify impacts, their associated score, weight, and comments or notes.

    Summary

    Seek to understand all potential risk impacts to better prepare your organization for success.

    • Organizations need to understand and map out their entire vendor landscape.
    • Understand where all your data lives and how you can control it throughout the vendor lifecycle.
    • Organizations need to be realistic about the likelihood of potential risks in the changing global world.
    • Those organizations that consistently follow their established risk-assessment and due-diligence processes are better positioned to avoid penalties.
    • Understand how your vendors prioritize your organization in their business continuity processes.
    • Bring the right people to the table to outline potential risks in the market and your organization.
    • Socialize the third-party vendor risk management process throughout the organization to heighten awareness and enable employees to help protect the organization.
    • Organizations need to learn how to assess the likelihood of potential risks in the changing global markets and recognize how their partnerships and subcontracts affect their brand.
    • Incorporate lessons learned from prior incidents into your risk management process to build better plans for future issues.

    Organizations must evolve their risk assessments to be more meaningful to respond to global changes in the market.

    Organizations should increase the resources dedicated to monitoring the market as regulatory agencies continue to hold them more and more accountable.

    Bibliography

    Olaganathan, Rajee. “Impact of COVID-19 on airline industry and strategic plan for its recovery with special reference to data analytics technology.” Global Journal of Engineering and Technology Advances, vol 7, no 1, 2021, pp. 033-046.

    Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, 23 Aug. 2012.

    Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.

    Weak Cybersecurity is taking a toll on Small Businesses (tripwire.com)

    SecureLink 2022 White Paper SL_Page_EA+PAM (rocketcdn.me)

    Shared Assessments Member Poll March 2021 "Guide: Evolving Work Environments Impact of Covid-19 on Profile and Management of Third Parties“

    “Cybersecurity only the tip of the iceberg for third-party risk management”. Help Net Security, April 21, 2021. Accessed: 2022-07-29.

    “Third-Party Risk Management (TPRM) Managed Services”. Deloitte, 2022. Accessed: 2022-07-29.

    “The Future of TPRM: Third Party Risk Management Predictions for 2022”. OneTrust, December 20th2021. Accessed 2022-07-29.

    “Third Party Vendor definition”. Law Insider, Accessed 2022-07-29.

    “Third Party Risk”. AWAKE Security, Accessed 2022-07-29.

    Glidden, Donna. "Don't Underestimate the Need to Protect Your Brand in Publicity Clauses", Info-Tech Research Group, June 2022.

    Greenaway, Jordan. "Managing Reputation Risk: A start-to-finish guide", Transmission Private, July 2022. Accessed June 2022.

    Jagiello, Robert D, and Thomas T Hills. “Bad News Has Wings: Dread Risk Mediates Social Amplification in Risk Communication. ”Risk analysis : an official publication of the Society for Risk Analysis vol. 38,10 (2018): 2193-2207.doi:10.1111/risa.13117

    Kenton, Will. "Brand Recognition", Investopedia, August 2021. Accessed June 2022. Lischer, Brian. "How Much Does it Cost to Rebrand Your Company?", Ignyte, October 2017. Accessed June 2022.

    "Powerful Examples of How to Respond to Negative Reviews", Review Trackers, February 2022. Accessed June 2022.

    "The CEO Reputation Premium: Gaining Advantage in the Engagement Era", Weber Shadwick, March 2015. Accessed on June 2022.

    "Valuation of Trademarks: Everything You Need to Know",UpCounsel, 2022. Accessed June 2022.

    Related Info-Tech Research

    Identify and Manage Financial Risk Impacts on Your Organization

    • Vendor management practices educate organizations on potential financial impacts that vendors may incur and suggest systems to help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

    Identify and Manage Reputational Risk Impacts on Your Organization

    • Vendor management practices educate organizations on potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your reputation and brand with our Reputational Risk Impact Tool.

    Identify and Manage Strategic Risk Impacts on Your Organization

    • Vendor management practices educate organizations on potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Risk Impact Tool.

    Regulatory guidance and industry standards

    Leadership Workshop Overview

    • Buy Link or Shortcode: {j2store}475|cart{/j2store}
    • member rating overall impact (scale of 10): 8.8/10 Overall Impact
    • member rating average dollars saved: $69,299 Average $ Saved
    • member rating average days saved: 28 Average Days Saved
    • Parent Category Name: Leadership Development Programs
    • Parent Category Link: /leadership-development-programs

    Leadership has evolved over time. The velocity of change has increased and leadership for the future looks different than the past.

    Our Advice

    Critical Insight

    Development of the leadership mind should never stop. This program will help IT leaders continue to craft their leadership competencies to navigate the ever-changing world in which we operate.

    Impact and Result

    • Embrace and lead change through active sharing, transparency, and partnerships.
    • Encourage growth mindset to enhance innovative ideas and go past what has always been done.
    • Actively delegate responsibilities and opportunities that engage and develop team members to build on current skills and prepare for the future.

    Leadership Workshop Overview Research & Tools

    Start here – read the Workshop Overview

    Read our concise Workshop Overview to find out how this program can support the development needs of your IT leadership teams.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Info-Tech Leadership Workshop Overview
    [infographic]

    Service Management

    • Buy Link or Shortcode: {j2store}46|cart{/j2store}
    • Related Products: {j2store}46|crosssells{/j2store}
    • Parent Category Name: Service Planning and Architecture
    • Parent Category Link: /service-planning-and-architecture

    The challenge

    • We have good, holistic practices, but inconsistent adoption leads to chaotic service delivery and low customer satisfaction.
    • You may have designed your IT services with little structure, formalization, or standardization.
    • That makes the management of these services more difficult and also leads to low business satisfaction.

    Register to read more …

    Slash Spending by Optimizing Your Software Maintenance and Support

    • Buy Link or Shortcode: {j2store}217|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Perpetual software maintenance (SW M&S) is an annual budget cost that increases almost yearly. You don’t really know if there is value in it, if its required by the vendor, or if there are opportunities for cost savings.
    • Most organizations never reap the full benefits of software M&S. They blindly send renewal fees to the vendor every year without validating their needs or the value of the maintenance. In addition, your vendor maintenance may be under contract and you aren’t sure what the obligations are for both parties.

    Our Advice

    Critical Insight

    • Analyzing the benefits contained within a vendor’s software M&S will provide the actual cost value of the M&S and whether there are critical support requirements vs. “nice to have” benefits.
    • Understanding the value and your requirement for M&S will allow you to make an informed decision on how best to optimize and reduce your annual software M&S spend.
    • Use a holistic approach when looking to reduce your software M&S spend. Review the entire portfolio for targeted reduction that will result in short- and long-term savings.
    • When targeting vendors to negotiate M&S price or coverage reduction, engaging them three to six months in advance of renewal will provide you with more time to effectively negotiate and not fall to the pressure of time.

    Impact and Result

    • Reduce annual costs for software maintenance and support.
    • Complete a value of investment (VOI) analysis of your software M&S for strategic vendors.
    • Maximize value of the software M&S by using all the benefits being paid for.
    • Right-size support coverage for your requirements.
    • Prioritize software vendors to target for cost reduction and optimization.

    Slash Spending by Optimizing Your Software Maintenance and Support Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to prioritize your software vendors and effectively target M&S for reduction, optimization, or elimination.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Evaluate

    Evaluate what software maintenance you are spending money.

    • Slash Spending by Optimizing Your Software Maintenance and Support – Phase 1: Evaluate
    • Software M&S Inventory and Prioritization Tool

    2. Establish

    Establish your software M&S requirements and coverage.

    • Slash Spending by Optimizing Your Software Maintenance and Support – Phase 2: Establish
    • Software Vendor Classification Tool

    3. Optimize

    Optimize your M&S spend, reduce or eliminate, where applicable.

    • Slash Spending by Optimizing Your Software Maintenance and Support – Phase 3: Optimize
    • Software M&S Value of Investment Tool
    • Software M&S Cancellation Decision Guide
    • Software M&S Executive Summary Template
    • Software M&S Cancellation Support Template
    [infographic]

    Modernize the Network

    • Buy Link or Shortcode: {j2store}501|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $16,499 Average $ Saved
    • member rating average days saved: 8 Average Days Saved
    • Parent Category Name: Network Management
    • Parent Category Link: /network-management
    • Business units, functions, and processes are inextricably intertwined with less and less tolerance for downtime.
    • Business demands change rapidly but the refresh horizon for infrastructure remains 5-7 years.
    • The number of endpoint devices the network is expected to support is growing geometrically but historic capacity planning grew linearly.
    • The business is unable to clearly define requirements, paralyzing planning.

    Our Advice

    Critical Insight

    • Build for your needs. Don’t fall into the trap of assuming what works for your neighbor, your peer, or your competitor will work for you.
    • Deliver on what your business knows it needs as well as what it doesn’t yet know it needs. Business leaders have business vision, but this vision won’t directly demand the required network capabilities to enable the business. This is where you come in.
    • Modern technologies are hampered by vintage processes. New technologies demand new ways of accomplishing old tasks.

    Impact and Result

    • Use a systematic approach to document all stakeholder needs and rely on the network technical staff to translate those needs into design constraints, use cases, features, and management practices.
    • Spend only on those emerging technologies that deliver features offering direct benefits to specific business goals and IT needs.
    • Solidify the business case for your network modernization project by demonstrating and quantifying the hard dollar value it provides to the business.

    Modernize the Network Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should modernize the enterprise network, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess the network

    Identify and prioritize stakeholder and IT/networking concerns.

    • Modernize the Network – Phase 1: Assess the Network
    • Network Modernization Workbook

    2. Envision the network of the future

    Learn about emerging technologies and identify essential features of a modernized network solution.

    • Modernize the Network – Phase 2: Envision Your Future Network
    • Network Modernization Technology Assessment Tool

    3. Communicate and execute the plan

    Compose a presentation for stakeholders and prepare the RFP for vendors.

    • Modernize the Network – Phase 3: Communicate and Execute the Plan
    • Network Modernization Roadmap
    • Network Modernization Executive Presentation Template
    • Network Modernization RFP Template
    [infographic]

    Workshop: Modernize the Network

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess the Network

    The Purpose

    Understand current stakeholder and IT needs pertaining to the network.

    Key Benefits Achieved

    Prioritized lists of stakeholder and IT needs.

    Activities

    1.1 Assess and prioritize stakeholder concerns.

    1.2 Assess and prioritize design considerations.

    1.3 Assess and prioritize use cases.

    1.4 Assess and prioritize network infrastructure concerns.

    1.5 Assess and prioritize care and control concerns.

    Outputs

    Current State Register

    2 Analyze Emerging Technologies and Identify Features

    The Purpose

    Analyze emerging technologies to determine whether or not to include them in the network modernization.

    Identify and shortlist networking features that will be part of the network modernization.

    Key Benefits Achieved

    An understanding of what emerging technologies are suitable for including in your network modernization.

    A prioritized list of features, aligned with business needs, that your modernized network must or should have.

    Activities

    2.1 Analyze emerging technologies.

    2.2 Identify features to support drivers, practices, and pain points.

    Outputs

    Emerging technology assessment

    Prioritize lists of modernized network features

    3 Plan for Future Capacity

    The Purpose

    Estimate future port, bandwidth, and latency requirements for all sites on the network.

    Key Benefits Achieved

    Planning for capacity ensures the network is capable of delivering until the next refresh cycle and beyond.

    Activities

    3.1 Estimate port, bandwidth, and latency requirements.

    3.2 Group sites according to capacity requirements.

    3.3 Create standardized capacity plans for each group.

    Outputs

    A summary of capacity requirements for each site in the network

    4 Communicate and Execute the Plan

    The Purpose

    Create a presentation to pitch the project to executives.

    Compose key elements of RFP.

    Key Benefits Achieved

    Communication to executives, summarizing the elements of the modernization project that business decision makers will want to know, in order to gain approval.

    Communication to vendors detailing the network solution requirements so that proposed solutions are aligned to business and IT needs.

    Activities

    4.1 Build the executive presentation.

    4.2 Compose the scope of work.

    4.3 Compose technical requirements.

    Outputs

    Executive Presentation

    Request for Proposal/Quotation

    Identify Opportunities to Mature the Security Architecture

    • Buy Link or Shortcode: {j2store}385|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Secure Cloud & Network Architecture
    • Parent Category Link: /secure-cloud-network-architecture
    • Organizations do not have a solid grasp on the complexity of their infrastructure and are unaware of the overall risk to their infrastructure posed by inadequate security.
    • Organizations do not understand how to properly create and deliver value propositions of technical security solutions.

    Our Advice

    Critical Insight

    • The security architecture is a living, breathing thing based on the risk profile of your organization.
    • Compliance and risk mitigation create an intertwined relationship between the business and your security architecture. The security architecture roadmap must be regularly assessed and continuously maintained to ensure security controls align with organizational objectives.

    Impact and Result

    • A right-sized security architecture can be created by assessing the complexity of the IT department, the operations currently underway for security, and the perceived value of a security architecture within the organization. This will bring about a deeper understanding of the organizational infrastructure.
    • Developing a security architecture should also result in a list of opportunities (i.e. initiatives) that an organization can integrate into a roadmap. These initiatives will seek to improve security operations and strengthen the IT department’s understanding of security’s role within the organization.
    • A better understanding of the infrastructure will help to save time on determining the correct technologies required from vendors and therefore cut down on the amount of vendor noise.
    • Creating a defensible roadmap will assist with justifying future security spend.

    Identify Opportunities to Mature the Security Architecture Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop a right-sized security architecture, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify the organization’s ideal security architecture

    Complete three unique assessments to define the ideal security architecture maturity for your organization.

    • Identify Opportunities to Mature the Security Architecture – Phase 1: Identify the Organization's Ideal Security Architecture
    • Security Architecture Recommendation Tool
    • None

    2. Create a security program roadmap

    Use the results of the assessments from Phase 1 of this research to create a roadmap for improving the security program.

    • Identify Opportunities to Mature the Security Architecture – Phase 2: Create a Security Program Roadmap
    [infographic]

    Manage Your Chromebooks and MacBooks

    • Buy Link or Shortcode: {j2store}167|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Devices
    • Parent Category Link: /end-user-computing-devices

    Windows is no longer the only option. MacBooks and Chromebooks are justified, but now you have to manage them.

    • If you have modernized your end-user computing strategy, you may have Windows 10 devices as well as MacBooks.
    • Virtual desktop infrastructure (VDI) and desktop as a service (DaaS) are becoming popular. Chromebooks may be ideal as a low-cost interface into DaaS for your employees.
    • Managing Chromebooks can be particularly challenging as they grow in popularity in the education sector.

    Our Advice

    Critical Insight

    Managing end-user devices may be accomplished with a variety of solutions, but many of those solutions advocate integration with a Microsoft-friendly solution to take advantage of features such as conditional access, security functionality, and data governance.

    Impact and Result

    • Many solutions are available to manage end-user devices, and they come with a long list of options and features. Clarify your needs and define your requirements before you purchase another endpoint management tool. Don’t purchase capabilities that you may never use.
    • Use the associated Endpoint Management Selection Tool spreadsheet to identify your desired endpoint solution features and compare vendor solution functionality based on your desired features.

    Manage Your Chromebooks and MacBooks Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Manage Your Chromebooks and MacBooks deck – MacBooks and Chromebooks are growing in popularity in enterprise and education environments, and now you have to manage them.

    Explore options, guidance and some best practices related to the management of Chromebooks and MacBooks in the enterprise environment and educational institutions. Our guidance will help you understand features and options available in a variety of solutions. We also provide guidance on selecting the best endpoint management solution for your own environment.

    • Manage Your Chromebooks and MacBooks Storyboard

    2. Endpoint Management Selection Tool – Select the best endpoint management tool for your environment. Build a table to compare endpoint management offerings in relation to the features and options desired by your organization.

    This tool will help you determine the features and options you want or need in an endpoint management solution.

    • Endpoint Management Selection Tool
    [infographic]

    Further reading

    Manage Your Chromebooks and MacBooks

    Financial constraints, strategy, and your user base dictate the need for Chromebooks and MacBooks – now you have to manage them in your environment.

    Analyst Perspective

    Managing MacBooks and Chromebooks is similar to managing Windows devices in many ways and different in others. The tools have many common features, yet they struggle to achieve the same goals.

    Until recently, Windows devices dominated the workplace globally. Computing devices were also rare in many industries such as education. Administrators and administrative staff may have used Windows-based devices, but Chromebooks were not yet in use. Most universities and colleges were Windows-based in offices with some flavor of Unix in other areas, and Apple devices were gaining some popularity in certain circles.

    That is a stark contrast compared to today, where Chromebooks dominate the classrooms and MacBooks and Chromebooks are making significant inroads into the enterprise environment. MacBooks are also a common sight on many university campuses. There is no doubt that while Windows may still be the dominant player, it is far from the only one in town.

    Now that Chromebooks and MacBooks are a notable, if not significant, part of the education and enterprise environments, they must be afforded the same considerations as Windows devices in those environments when it comes to management. The good news is that there is no lack of available solutions for managing these devices, and the endpoint management landscape is continually evolving and improving.

    This is a picture of P.J. Ryan, Research Director, Infrastructure & Operations, Info-Tech Research Group

    P.J. Ryan
    Research Director, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • You modernized your end-user computing strategy and now have Windows 10 devices as well as MacBooks.
    • Virtual desktop infrastructure (VDI) and desktop as a service (DaaS) are becoming popular. Chromebooks would be ideal as a low-cost interface into DaaS for your employees.
    • You are responsible for the management of all the new Chromebooks in your educational district.
    • Windows is no longer the only option. MacBooks and Chromebooks are justified, but now you have to manage them.

    Common Obstacles

    • Endpoint management solutions typically do a great job at managing one category of devices, like Windows or MacBooks, but they struggle to fully manage alternative endpoints.
    • Multiple solutions to manage multiple devices will result in multiple dashboards. A single view would be better.
    • One solution may not fit all, but multiple solutions is not desirable either, especially if you have Windows devices, MacBooks, and Chromebooks.

    Info-Tech's Approach

    • Use the tools at your disposal first – don't needlessly spend money if you don't have to. Many solutions can already manage other types of devices to some degree.
    • Use the integration capabilities of endpoint management tools. Many of them can integrate with each other to give you a single interface to manage multiple types of devices while taking advantage of additional functionality.
    • Don't purchase capabilities you will never use. Using 80% of a less expensive tool is economically smarter than using 10% of a more expensive tool.

    Info-Tech Insight

    Managing end-user devices may be accomplished with a variety of solutions, but many of those solutions advocate integration with a Microsoft-friendly solution to take advantage of features such as conditional access, security functionality, and data governance.

    Insight Summary

    Insight 1

    Google Admin Console is necessary to manage Chromebooks, but it can be paired with other tools. Implementation partnerships provide solutions to track the device lifecycle, track the repair lifecycle, sync with Google Admin Console as well as PowerSchool to provide a more complete picture of the user and device, and facilitate reminders to return the device, pay fees if necessary, pick up a device when a repair is complete, and more.

    Insight 2

    The Google Admin Console allows admins to follow an organizational unit (OU) structure very similar to what they may have used in Microsoft's Active Directory environment. This familiarity makes the task of administering Chromebooks easier for admins.

    Insight 3

    Chromebook management goes beyond securing and manipulating the device. Controls to protect the students while online, such as Safe Search and Safe Browsing, should also be implemented.

    Insight 4

    Most companies choose to use a dedicated MacBook management tool. Many unified endpoint management (UEM) tools can manage MacBooks to some extent, but admins tend to agree that a MacBook-focused endpoint management tool is best for MacBooks while a Windows-based endpoint management tool is best for Windows devices.

    Insight 5

    Some MacBook management solutions advocate integration with Windows UEM solutions to take advantage of Microsoft features such as conditional access, security functionality, and data governance. This approach can also be applied to Chromebooks.

    Chromebooks

    Chromebooks had a respectable share of the education market before 2020, but the COVID-19 pandemic turbocharged the penetration of Chromebooks in the education industry.

    Chromebooks are also catching the attention of some decision makers in the enterprise environment.

    "In 2018, Chromebooks represented an incredible 60 percent of all laptop or tablet devices in K-12 -- up from zero percent when the first Chromebook launched during the summer break in 2011."
    – "Will Chromebooks Rule the Enterprise?" Computerworld

    "Chromebooks were the best performing PC products in Q3 2020, with shipment volume increasing to a record-high 9.4 million units, up a whopping 122% year-on-year."
    – Android Police

    "Until the pandemic, Chrome OS' success was largely limited to U.S. schools. Demand in 2020 appears to have expanded beyond that small but critical part of the U.S. PC market."
    – Geekwire

    "In addition to running a huge number of Chrome Extensions and Apps at once, Chromebooks also run Android, Linux and Windows apps."
    – "Will Chromebooks Rule the Enterprise?" Computerworld

    Managing Chromebooks

    Start with the Google Admin Console (GAC)

    GAC is necessary to initially manage Chrome OS devices.

    GAC gives you a centralized console that will allow you to:

    • Create organizational units
    • Add your Chromebook devices
    • Add users
    • Assign users to devices
    • Create groups
    • Create and assign policies
    • Plus more

    GAC can facilitate device management with features such as:

    • Control admin permissions
    • Encryption and update settings
    • App deployment, screen timeout settings
    • Perform a device wipe if required
    • Audit user activity on a device
    • Plus more

    Device and user addition, group and organizational unit creation and administration, applying policies to devices and users – does all this remind you of your Active Directory environment?

    GAC lets you administer users and devices with a similar approach.

    Managing Chromebooks

    Use Active Directory to manage Chromebooks.

    • Enable Active Directory (AD) management from within GAC and you will be able to integrate your Chromebook devices with your AD environment.
    • Devices will be visible in both the GAC and AD environment.
    • Use Windows Group Policy to manage devices and to push policies to users and devices.
    • Users can use their AD username and password to sign into Chromebook devices.
    • GAC can still be used for devices that are not synced with AD.

    Chromebooks can also be managed through these approved partners:

    • Cisco Meraki
    • Citrix XenMobile
    • IBM MaaS360
    • ManageEngine Mobile Device Manager Plus
    • VMware Workspace ONE

    Source: Google

    You must be running the Chrome Enterprise Upgrade and have any licenses required by the approved partner to take advantage of this management option. The partner admin policies supersede GAC.

    If you stop using the approved partner admin console to manage your devices, the polices and settings in GAC will immediately take over the devices.

    Microsoft still has the market share when it comes to device sales, and many administrators are already familiar with Microsoft's Active Directory. Google took advantage of that familiarity when it designed the Google Admin Console structure for users, groups, and organizational units.

    Chromebook Deployment

    Chromebook deployment becomes a challenge when device quantities grow. The enrollment process can be time consuming, and every device must be enrolled before it can be used by an employee or a student. Many admins enlist their full IT teams to assist in the short term. Some vendor partners may assist with distribution options if staffing levels permit. Recent developments from Google have opened additional options for device enrollment beyond the manual enrollment approach.

    Enrolling Chromebooks comes down to one of two approaches:

    1. Manually enrolling one device at a time
      • Users can assist by entering some identifying details during the enrollment if permitted.
      • Some third-party solutions exist, such as USB drives to reduce repetitive keystrokes or hubs to facilitate manually enrolling multiple Chromebooks simultaneously.
    2. Google's Chrome Enterprise Upgrade or the Chrome Education Upgrade
      • This allows you to let your users enroll devices after they accept the end-user license agreement.
      • You can take advantage of Google's vendor partner program and use a zero-touch deployment method where the Chromebook devices automatically receive the assigned policies, apps, and settings as soon as the device is powered on and an authorized user signs in.
      • The Enterprise Upgrade and the Education Upgrade do come with an annual cost per device, which is currently less than US$50.
      • The Enterprise and Education Upgrades come with other features as well, such as enhanced security.

    Chromebooks are automatically assigned to the top-level organizational unit (OU) when enrolled. Devices can be manually moved to another OU, but admins can also create enrollment policies to place newly enrolled devices in a specific OU or have the device locate itself in the same OU as the user.

    Chromebooks in Education

    GAC is also used with Education-licensed devices

    Most of the settings and features previously mentioned are also available for Education-licensed devices and users. Enterprise-specific features will not be available to Education licenses. (Active Directory integration with Education licenses, for example, is accomplished using a different approach)

    • Groups, policies, administrative controls, app deployment and management, adding devices and users, creating organizational units, and more features are all available to Education Admins to use.

    Education device policies and settings tend to focus more on protecting the students with controls such as:

    • Disable incognito mode
    • Disable location tracking
    • Disable external storage devices
    • Browser based protections such as Safe Search or Safe Browsing
    • URL blocking
    • Video input disable for websites
    • App installation prevention, auto re-install, and app blocking
    • Forced re-enrollment to your domain after a device is wiped
    • Disable Guest Mode
    • Restrict who can sign in
    • Audit user activity on a device

    When a student takes home a Chromebook assigned to them, that Chromebook may be the only computer in the household. Administrative polices and settings must take into account the fact that the device may have multiple users accessing many different sites and applications when the device is outside of the school environment.

    Chromebook Management Extended

    An online search for Chromebook management solutions will reveal several software solutions that augment the capabilities of the Google Admin Console. Many of these solutions are focused on the education sector and classroom and student options, although the features would be beneficial to enterprises and educational organizations alike.

    These solutions assist or augment Chromebook management with features such as:

    • Ability to sync with Google Admin Console
    • Ability to sync with student information systems, such as PowerSchool
    • Financial management, purchase details, and chargeback
    • Asset lifecycle management
    • 1:1 Chromebook distribution management
    • Repair programs and repair process management
    • Check-out/loan program management
    • Device distribution/allocation management, including barcode reader integration
    • Simple learning material distribution to the classroom for teachers
    • Facilitate GAC bulk operations
    • Manage inventory of non-IT assets such as projectors, TVs, and other educational assets
    • Plus more

    "There are many components to managing Chromebooks. Schools need to know which student has which device, which school has which device, and costs relating to repairs. Chromebook Management Software … facilitates these processes."
    – VIZOR

    MacBooks

    • MacBooks are gaining popularity in the Enterprise world.
    • Some admins claim MacBooks are less expensive in the long run over Windows-based PCs.
    • Users claim less issues when using a MacBook, and overall, companies report increased retention rates when users are using MacBooks.

    "Macs now make up 23% of endpoints in enterprises."
    – ComputerWeekly.com

    "When given the choice, no less than 72% of employees choose Macs over PCs."
    – "5 Reasons Mac is a must," Jamf

    "IBM says it is 3X more expensive to manage PCs than Macs."
    – Computerworld

    "74% of those who previously used a PC for work experienced fewer issues now that they use a Mac"
    – "Global Survey: Mac in the Enterprise," Jamf

    "When enterprise moves to Mac, staff retention rates improve by 20%. That's quite a boost! "
    – "5 Reasons Mac is a must," Jamf

    Managing MacBooks

    Can your existing UEM keep up?

    Many Windows unified endpoint management (UEM) tools can manage MacBooks, but most companies choose to use a dedicated MacBook management tool.

    • UEM tools that are primarily Windows focused do not typically go deep enough into the management capabilities of non-Windows devices.
    • Admins have noted limitations when it comes to using Windows UEM tools, and reasons they prefer a dedicated MacBook management solution include:
      • Easier to use
      • Faster response times when deploying settings and policies
      • Better control over notification settings and lock screen settings.
      • Easier Apple Business Manager (ABM) integration and provisioning.
    • Note that not every UEM will have the same limitations or advantages. Functionality is different between vendor products.

    Info-Tech Insight

    Most Windows UEM tools are constantly improving, and it is only a matter of time before they rival many of the dedicated MacBook management tools out there.

    Admins tend to agree that a Windows UEM is best for Windows while an Apple-based UEM is best for Apple devices.

    Managing MacBooks

    The market for "MacBook-first" management solutions includes a variety of players of varying ages such as:

    • Jamf
    • Kandji
    • Mosyle
    • SimpleMDM
    • Others

    MacBook-focused management tools can provide features such as:

    • Encryption and update settings
    • App deployment and lifecycle management
    • Remote device wipe, scan, shutdown, restart, and lock
    • Zero touch deployment and support
    • Location tracking
    • Browser content filtering
    • Enable, hide/block, or disable built-in features
    • Configure Wi-Fi, VPN, and certificate-based settings
    • Centralized dashboard with device and app listings as well as individual details
    • Data restrictions
    • Plus more

    Unified endpoint management (UEM) solutions that can provide MacBook management to some degree include (but are not limited to):

    • Intune
    • Ivanti
    • Endpoint Central
    • WorkspaceOne

    Dedicated solutions advocate integration with UEM solutions to take advantage of conditional access, security functionality, and data governance features.

    Jamf and Microsoft entered into a collaboration several years ago with the intention of making the MacBook management process easier and more secure.

    Microsoft Intune and Jamf Pro: Better together to manage and secure Macs
    Microsoft Conditional Access with Jamf Pro ensures that company data is only accessed by trusted users, on trusted devices, using trusted apps. Jamf extends this Enterprise Mobile + Security (EMS) functionality to Mac, iPhone and iPad.
    – "Microsoft Intune and Jamf Pro," Jamf

    Endpoint Management Selection Tool
    Activity

    There are many solutions available to manage end-user devices, and they come with a long list of options and features. Clarify your needs and define your requirements before you purchase another endpoint management tool. Don't purchase capabilities that you may never use.

    Use the Endpoint Management Selection Tool to identify your desired endpoint solution features and compare vendor solution functionality based on your desired features.

    1. List out the desired features you want in an endpoint solution for your devices and record those features in the first column. Use the features provided, or add your own and edit or delete the existing ones if necessary.
    2. List your selected endpoint management solution vendors in each of the columns in place of "Vendor 1," "Vendor 2," etc.
    3. Fill out the spreadsheet by changing the corresponding desired feature cell under each vendor to a "yes" or "no" based on your findings while investigating each vendor solution.
    4. When you have finished your investigation, review your spreadsheet to compare the various offerings and pros and cons of each vendor.
    5. Select your endpoint management solution.

    Endpoint Management Selection Tool

    In the first column, list out the desired features you want in an endpoint solution for your devices. Use the features provided if desired, or add your own and edit or delete the existing ones if necessary. As you look into various endpoint management solution vendors, list them in the columns in place of "Vendor 1," "Vendor 2," etc. Use the "Desired Feature" list as a checklist and change the values to "yes" or "no" in the corresponding box under the vendors' names. When complete, you will be able to look at all the features and compare vendors in a single table.

    Desired Feature Vendor 1 Vendor 2 Vendor 3
    Organizational unit creation Yes No Yes
    Group creation Yes Yes Yes
    Ability to assign users to devices No Yes Yes
    Control of administrative permissions Yes Yes Yes
    Conditional access No Yes Yes
    Security policies enforced Yes No Yes
    Asset management No Yes No
    Single sign-on Yes Yes Yes
    Auto-deployment No Yes No
    Repair lifecycle tracking No Yes No
    Application deployment Yes Yes No
    Device tracking Yes Yes Yes
    Ability to enable encryption Yes No Yes
    Device wipe Yes No Yes
    Ability to enable/disable device tracking No No Yes
    User activity audit No No No

    Related Info-Tech Research

    this is a screenshot from Info-Tech's Modernize and Transform Your End-User Computing Strategy.

    Modernize and Transform Your End-User Computing Strategy
    This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

    Best Unified Endpoint Management (UEM) Software 2022 | SoftwareReviews
    Compare and evaluate unified endpoint management vendors using the most in-depth and unbiased buyer reports available. Download free comprehensive 40+ page reports to select the best unified endpoint management software for your organization.

    Best Enterprise Mobile Management (EMM) Software 2022 | (softwarereviews.com)
    Compare and evaluate enterprise mobile management vendors using the most in-depth and unbiased buyer reports available. Download free comprehensive 40+ page reports to select the best enterprise mobile management software for your organization.

    Bibliography

    Bridge, Tom. "Macs in the enterprise – what you need to know". Computerweekly.com, TechTarget. 27 May 2022. Accessed 12 Aug. 2022.
    Copley-Woods, Haddayr. "5 reasons Mac is a must in the enterprise". Jamf.com, Jamf. 28 June 2022. Accessed 16 Aug. 2022.
    Duke, Kent. "Chromebook sales skyrocketed in Q3 2020 with online education fueling demand." androidpolice.com, Android Police. 16 Nov 2020. Accessed 10 Aug. 2022.
    Elgin, Mike. "Will Chromebooks Rule the Enterprise? (5 Reasons They May)". Computerworld.com, Computerworld. 30 Aug 2019. Accessed 10 Aug. 2022.
    Evans, Jonny. "IBM says it is 3X more expensive to manage PCs than Macs". Computerworld.com, Computerworld. 19 Oct 2016. Accessed 23 Aug. 2022.
    "Global Survey: Mac in the Enterprise". Jamf.com, Jamf. Accessed 16 Aug. 2022.
    "How to Manage Chromebooks Like a Pro." Vizor.cloud, VIZOR. Accessed 10 Aug. 2022.
    "Manage Chrome OS Devices with EMM Console". support.google.com, Google. Accessed 16 Aug. 2022.
    Protalinski, Emil. "Chromebooks outsold Macs worldwide in 2020, cutting into Windows market share". Geekwire.com, Geekwire. 16 Feb 2021. Accessed 22 Aug. 2022.
    Smith, Sean. "Microsoft Intune and Jamf Pro: Better together to manage and secure Macs". Jamf.com, Jamf. 20 April 2022. Accessed 16 Aug. 2022.

    IT Asset Management (ITAM) Market Overview

    • Buy Link or Shortcode: {j2store}62|cart{/j2store}
    • member rating overall impact (scale of 10): 8.5/10 Overall Impact
    • member rating average dollars saved: $12,999 Average $ Saved
    • member rating average days saved: 24 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management
    • Data management is challenging at the best of times but managing assets that change on a daily basis are difficult without automation and a good asset tool.
    • For organizations moving beyond basic hardware inventory, knowing what to look for to prepare for future processes seems impossible.
    • Using price as the leading criteria or just as an add-on to your ITSM solution may frustrate your efforts, especially if managing complex licensing is part of your mandate.

    Our Advice

    Critical Insight

    • If the purchase is happening independent of process design or review, it’s easy to end up with a solution that doesn’t fit your environment.
    • The complexity of your environment should be a significant factor in choosing an IT asset management solution.
    • Imagining the possibilities and understanding the differences between IT asset tools will drive you to the right solution for long term gain in managing dynamic assets.

    Impact and Result

    • Regardless of whether your IT environment is on-premises, in the cloud, or a complex hybrid of the two, knowing where your asset funds are allocated is key to right-sizing costs and reducing risks of non-compliance or lost assets.
    • Choosing the right tools for the job will be key to your success.

    IT Asset Management (ITAM) Market Overview Research & Tools

    Start here: Read the Market Overview

    Read the Market Overview to understand what features and capabilities are available in ITAM tools. The right features match is key to making a data heavy and challenging process easier for your team.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • IT Asset Management Market Overview

    1. Prepare your project plan and selection process

    Use the Info-Tech templates to identify and document your requirements, plan your project, and prepare to engage with vendors.

    • ITAM Project Charter Template
    • ITAM Demonstration Script Template
    • Proof of Concept Template
    • ITAM Vendor Evaluation Workbook
    [infographic]

    Optimize Software Pricing in a Volatile Competitive Market

    • Buy Link or Shortcode: {j2store}566|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions

    Your challenge:

    • Rising supplier costs and inflation are eroding margins and impacting customers' budgets.
    • There is pressure from management to make a gut-feeling decision because of time, lack of skills, and process limitations.
    • You must navigate competing pricing-related priorities among product, sales, and finance teams.
    • Product price increases fail because discovery lacks understanding of costs, price/value equation, and competitive price points.
    • Customers can react negatively, and results are seen much later (more than 12 months) after the price decision.

    Our Advice

    Critical Insight

    Product leaders will price products based on a deep understanding of the buyer price/value equation and alignment with financial and competitive pricing strategies, and make ongoing adjustments based on an ability to monitor buyer, competitor, and product cost changes.

    Impact and Result

    • Success for many SaaS product managers requires a reorganization and modernization of pricing tools, techniques, and assumptions. Leaders will develop the science of tailored price changes versus across-the-board price actions and account for inflation exposure and the customers’ willingness to pay.
    • This will build skills on how to price new products or adjust pricing for existing products. The disciplines using our pricing strategy methodology will strengthen efforts to develop repeatable pricing models and processes and build credibility with senior management.

    Optimize Software Pricing in a Volatile Competitive Market Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Optimize Software Pricing in a Volatile Competitive Market Executive Brief - A deck to build your skills on how to price new products or adjust pricing for existing products.

    This Executive Brief will build your skills on how to price new products or adjust pricing for existing products.

    • Optimize Software Pricing in a Volatile Competitive Market Executive Brief

    2. Optimize Software Pricing in a Volatile Competitive Market Storyboard – A deck that provides key steps to complete the project.

    This blueprint will build your skills on how to price new products or adjust pricing for existing products with documented key steps to complete the pricing project and use the Excel workbook and customer presentation.

    • Optimize Software Pricing in a Volatile Competitive Market – Phases 1-3

    3. Optimize Software Pricing in a Volatile Competitive Market Workbook – A tool that enables product managers to simplify the organization and collection of customer and competitor information for pricing decisions.

    These five organizational workbooks for product pricing priorities, interview tracking, sample questions, and critical competitive information will enable the price team to validate price change data through researching the three pricing schemes (competitor, customer, and cost-based).

    • Optimize Software Pricing in a Volatile Competitive Market Workbook

    4. Optimize Software Pricing in a Volatile Competitive Market Presentation Template – A template that serves as a guide to communicating the Optimize Pricing Strategy team's results for a product or product line.

    This template includes the business case to justify product repricing, contract modifications, and packaging rebuild or removal for launch. This template calls for the critical summarized results from the Optimize Software Pricing in a Volatile Competitive Market blueprint and the Optimize Software Pricing in a Volatile Competitive Market Workbook to complete.

    • Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Infographic

    Further reading

    SoftwareReviews — A Division of INFO~TECH RESEARCH GROUP

    Optimize Software Pricing in a Volatile Competitive Market

    Leading SaaS product managers align pricing strategy to company financial goals and refresh the customer price/value equation to avoid leaving revenues uncaptured.

    Table of Contents

    Section Title Section Title
    1 Executive Brief 2 Key Steps
    3 Concluding Slides

    Optimize Software Pricing in a Volatile Competitive Market

    Leading SaaS product managers align pricing strategy to company financial goals and refresh the customer price/value equation to avoid leaving revenues uncaptured.

    EXECUTIVE BRIEF

    Analyst Perspective

    Optimized Pricing Strategy

    Product managers without well-documented and repeatable pricing management processes often experience pressure from “Agile” management to make gut-feel pricing decisions, resulting in poor product revenue results. When combined with a lack of customer, competitor, and internal cost understanding, these process and timing limitations drive most product managers into suboptimal software pricing decisions. And, adding insult to injury, the poor financial results from bad pricing decisions aren’t fully measured for months, which further compounds the negative effects of poor decision making.

    A successful product pricing strategy aligns finance, marketing, product management, and sales to optimize pricing using a solid understanding of the customer perception of price/value, competitive pricing, and software production costs.

    Success for many SaaS product managers requires a reorganization and modernization of pricing tools, techniques, and data. Leaders will develop the science of tailored price changes versus across-the-board price actions and account for inflation exposure and the customers’ willingness to pay.

    This blueprint will build your skills on how to price new products or adjust pricing for existing products. The discipline you build using our pricing strategy methodology will strengthen your team’s ability to develop repeatable pricing and will build credibility with senior management and colleagues in marketing and sales.

    Photo of Joanne Morin Correia, Principal Research Director, SoftwareReviews.

    Joanne Morin Correia
    Principal Research Director
    SoftwareReviews

    Executive Summary

    Organizations struggle to build repeatable pricing processes:
    • A lack of alignment and collaboration among finance, marketing, product development, and sales.
    • A lack of understanding of customers, competitors, and market pricing.
    • Inability to stay ahead of complex and shifting software pricing models.
    • Time is wasted without a deep understanding of pricing issues and opportunities, and revenue opportunities go unrealized.
    Obstacles add friction to the pricing management process:
    • Pressure from management to make quick decisions results in a gut-driven approach to pricing.
    • A lack of pricing skills and management processes limits sound decision making.
    • Price changes fail because discovery often lacks competitive intelligence and buyer value to price point understanding. Customers’ reactions are often observed much later, after the decision is made.
    • Economic disruptions, supplier price hikes, and higher employee salaries/benefits are driving costs higher.
    Use SoftwareReviews’ approach for more successful pricing:
    • Organize for a more effective pricing project including roles & responsibilities as well as an aligned pricing approach.
    • Work with CFO/finance partner to establish target price based on margins and key factors affecting costs.
    • Perform a competitive price assessment and understand the buyer price/value equation.
    • Arrive at a target price based on the above and seek buy-in and approvals.

    SoftwareReviews Insight

    Product leaders will price products based on a deep understanding of the buyer price/value equation and alignment with financial and competitive pricing strategies, and they will make ongoing adjustments based on an ability to monitor buyers, competitors, and product cost changes.

    What is an optimized price strategy?

    “Customer discovery interviews help reduce the chance of failure by testing your hypotheses. Quality customer interviews go beyond answering product development and pricing questions.” (Pricing Strategies, Growth Ramp, March 2022)

    Most product managers just research their direct competitors when launching a new SaaS product. While this is essential, competitive pricing intel is insufficient to create a long-term optimized pricing strategy. Leaders will also understand buyer TCO.

    Your customers are constantly comparing prices and weighing the total cost of ownership as they consider your competition. Why?

    Implementing a SaaS solution creates a significant time burden as buyers spend days learning new software, making sure tools communicate with each other, configuring settings, contacting support, etc. It is not just the cost of the product or service.

    Optimized Price Strategy Is…
    • An integral part of any product plan and business strategy.
    • Essential to improving and maintaining high levels of margins and customer satisfaction.
    • Focused on delivering the product price to your customer’s business value.
    • Understanding customer price-value for your software segment.
    • Monitoring your product pricing with real-time data to ensure support for competitive strategy.
    Price Strategy Is Not…
    • Increasing or decreasing price on a gut feeling.
    • Changing price for short-term gain.
    • Being wary of asking customers pricing-related questions.
    • Haphazardly focusing entirely on profit.
    • Just covering product costs.
    • Only researching direct competitors.
    • Focusing on yourself or company satisfaction but your target customers.
    • Picking the first strategy you see.

    SoftwareReviews Insight

    An optimized pricing strategy establishes the “best” price for a product or service that maximizes profits and shareholder value while considering customer business value vs. the cost to purchase and implement – the total cost of ownership (TCO).

    Challenging environment

    Product managers are currently experiencing the following:
    • Supplier costs and inflation are rising, eroding product margins and impacting customers’ budgets.
    • Pressure from management to make a gut-feeling decision because of time, lack of skills, and process limitations.
    • Navigating competing pricing-related priorities among product, sales, and finance.
    • Product price increases that fail because discovery lacks understanding of costs, price/value equation, and competitive price points.
    • Slowing customer demand due to poorly priced offerings may not be fully measured for many months following the price decision.
    Doing nothing is NOT an option!
    Offense Double Down

    Benefit: Leverage long-term financial and market assets

    Risk: Market may not value those assets in the future
    Fight Back

    Benefit: Move quickly

    Risk: Hard to execute and easy to get pricing wrong
    Defense Retrench

    Benefit: Reduce threats from new entrants through scale and marketing

    Risk: Causes managed decline and is hard to sell to leadership
    Move Away

    Benefit: Seize opportunities for new revenue sources

    Risk: Diversification is challenging to pull off
    Existing Markets and Customers New Markets and Customers

    Pricing skills are declining

    Among product managers, limited pricing skills are big obstacles that make pricing difficult and under-optimized.

    Visual of a bar chart with descending values, each bar has written on it: 'Limited - Limits in understanding of engineering, marketing, and sales expectations or few processes for pricing and/or cost', 'Inexperienced - Inexperience in pricing project skills and corporate training', 'Lagging - Financial lag indicators (marketing ROI, revenue, profitability, COGs)', 'Lacking - Lack of relevant competitive pricing/packaging information', 'Shifting - Shift to cloud subscription-based revenue models is challenging'.

    The top three weakest product management skills have remained constant over the past five years:
    • Competitive analysis
    • Pricing
    • End of life
    Pricing is the weakest skill and has been declining the most among surveyed product professionals every year. (Adapted from 280 Group, 2022)

    Key considerations for more effective pricing decisions

    Pricing teams can improve software product profitability by:
    • Optimizing software profit with four critical elements: properly pricing your product, giving complete and accurate quotations, choosing the terms of the sale, and selecting the payment method.
    • Implementing tailored price changes (versus across-the-board price actions) to help account for inflation exposure, customer willingness to pay, and product attribute changes.
    • Accelerating ongoing pricing decision-making with a dedicated cross-functional team ready to act quickly.
    • Resetting discounting and promotion, and revisiting service-level agreements.
    Software pricing leaders will regularly assess:

    Has it been over a year since prices were updated?

    Have customers told you to raise your prices?

    Do you have the right mix of customers in each pricing plan?

    Do 40% of your customers say they would be very disappointed if your product disappeared? (Adapted from Growth Ramp, 2021)

    Case Study

    Middleware Vendor

    INDUSTRY
    Technology Middleware
    SOURCE
    SoftwareReviews Custom Pricing Strategy Project
    A large middleware vendor, who is running on Microsoft Azure, known for quality development and website tools, needed to react strategically to the March 2022 Microsoft price increase.

    Key Initiative: Optimize New Pricing Strategy

    The program’s core objective was to determine if the vendor should implement a price increase and how the product should be packaged within the new pricing model.

    For this initiative, the company interviewed buyers using three key questions: What are the core capabilities to focus on building/selling? What are the optimal features and capabilities valued by customers that should be sold together? And should they be charging more for their products?

    Results
    This middleware vendor saw buyer support for a 10% price increase to their product line and restructuring of vertical contract terms. This enabled them to retain customers over multi-year subscription contracts, and the price increase enabled them to protect margins after the Microsoft price increase.

    The Optimize New Pricing Strategy included the following components:

    Components: 'Product Feature Importance & Satisfaction', 'Correlation of Features and Value Drivers', 'Fair Cost to Value Average for Category', 'Average Discounting for Category', 'Customer Value Is an Acceptable Multiple of Price'. First four: 'Component fails into the scope of optimizing price strategy to value'; last one: 'They are optimizing their price strategy decisions'.

    New product price approach

    As a collaborative team across product management, marketing, and finance, we see leaders taking a simple yet well-researched approach when setting product pricing.

    Iterating to a final price point is best done with research into how product pricing:

    • Delivers target margins.
    • Is positioned vs. key competitors.
    • Delivers customer value at a fair price/value ratio.
    To arrive at our new product price, we suggest iterating among 3 different views:

    New Target Price:

    • Buyer Price vs. Value
    • Cost - Plus
    • Vs. Key Competitors
    We analyzed:
    • Customer price/value equation interviews
    • Impacts of Supplier cost increases
    • Competitive pricing research
    • How product pricing delivers target margins

    Who should care about optimized pricing?

    Product managers and marketers who:

    • Support the mandate for optimizing pricing and revenue generation.
    • Need a more scientific way to plan and implement new pricing processes and methods to optimize revenues and profits.
    • Want a way to better apply customer and competitive insights to product pricing.
    • Are evaluating current pricing and cost control to support a refreshed pricing strategy.

    Finance, sales, and marketing professionals who are pricing stakeholders in:

    • Finding alternatives to current pricing and packaging approaches.
    • Looking for ways to optimize price within the shifting market momentum.

    How will they benefit from this research?

    • Refine the ability to effectively target pricing to specific market demands and customer segments.
    • Strengthen product team’s reputation for reliable and repeatable price-management capabilities among senior leadership.
    • Recognize and plan for new revenue opportunities or cost increases.
    • Allow for faster, more accurate intake of customer and competitive data. 
    • Improve pricing skills for professional development and business outcomes.
    • Create new product price, packaging, or market opportunities. 
    • Reduce financial costs and mistakes associated with manual efforts and uneducated guessing.
    • Price software products that better achieve financial goals optimizing revenue, margins, or market share.
    • Enhance the product development and sales processes with real competitive and customer expectations.

    Is Your Pricing Strategy Optimized?

    With the right pricing strategy, you can invest more money into your product, service, or growth. A 1% price increase will improv revenues by:

    Three bars: 'Customer acquisition, 3.32%', 'Customer retention, 6.71%', 'Price monetization, 12.7%'.

    Price monetization will almost double the revenue increases over customer acquisition and retention. (Pricing Strategies, Growth Ramp, March 2022)

    DIAGNOSE PRICE CHALLENGES

    Prices of today's cloud-based services/products are often misaligned against competition and customers' perceived value, leaving more revenues on the table.
    • Do you struggle to price new products with confidence?
    • Do you really know your SaaS product's costs?
    • Have you lost pricing power to stronger competitors?
    • Has cost focus eclipsed customer value focus?
    If so, you are likely skipping steps and missing key outputs in your pricing strategy.

    OPTIMIZE THESE STEPS

    ALIGNMENT
    1. Assign Team Responsibilities
    2. Set Timing for Project Deliverables
    3. Clarify Financial Expectations
    4. Collect Customer Contacts
    5. Determine Competitors
    6. BEFORE RESEARCH, HAVE YOU
      Documented your executive's financial expectations? If "No," return.

    RESEARCH & VALIDATE
    1. Research Competitors
    2. Interview Customers
    3. Test Pricing vs. Financials
    4. Create Pricing Presentation
    5. BEFORE PRESENTING, HAVE YOU:
      Clarified your customer and competitive positioning to validate pricing? If "No," return.

    BUY-IN
    1. Executive Pricing Presentation
    2. Post-Mortem of Presentation
    3. Document New Processes
    4. Monitor the Pricing Changes
    5. BEFORE RESEARCH, HAVE YOU:
      Documented your executive's financial expectations? If "No," return.

    DELIVER KEY OUTPUTS

    Sponsoring executive(s) signs-offs require a well-articulated pricing plan and business case for investment that includes:
    • Competitive features and pricing financial templates
    • Customer validation of price value
    • Optimized price presentation
    • Repeatable pricing processes to monitor changes

    REAP THE REWARDS

    • Product pricing is better aligned to achieve financial goals
    • Improved pricing skills or professional development
    • Stronger team reputation for reliable price management

    Key Insights

    1. Gain a competitive edge by using market and customer information to optimize product financials, refine pricing, and speed up decisions.
    2. Product leaders will best set software product price based on a deep understanding of buyer/price value equation, alignment with financial strategy, and an ongoing ability to monitor buyer, competitor, and product costs.

    SoftwareReviews’ methodology for optimizing your pricing strategy

    Steps

    1.1 Establish the Team and Responsibilities
    1.2 Educate/Align Team on Pricing Strategy
    1.2 Document Portfolio & Target Product(s) for Pricing Updates
    1.3 Clarify Product Target Margins
    1.4 Establish Customer Price/Value
    1.5 Identify Competitive Pricing
    1.6 Establish New Price and Gain Buy-In

    Outcomes

    1. Well-organized project
    2. Clarified product pricing strategy
    3. Customer value vs. price equation
    4. Competitive price points
    5. Approvals

    Insight summary

    Modernize your price planning

    Product leaders will price products based on a deep understanding of the buyer price/value equation and alignment with financial and competitive pricing strategies, and make ongoing adjustments based on an ability to monitor buyer, competitor, and product cost changes.

    Ground pricing against financials

    Meet and align with financial stakeholders.
    • Give finance a heads-up that you want to work with them.
    • Find out the CFO’s expectations for pricing and margins.
    • Ask for a dedicated finance team member.

    Align on pricing strategy

    Lead stakeholders in SaaS product pricing decisions to optimize pricing based on four drivers:
    • Customer’s price/value
    • Competitive strategy
    • Reflective of costs
    • Alignment with financial goals

    Decrease time for approval

    Drive price decisions, with the support of the CFO, to the business value of the suggested change:
    • Reference current product pricing guidelines
    • Compare to the competition and our strategy and weigh results against our customer’s price/value
    • Compare against the equation to business value for the suggested change
    Develop the skill of pricing products

    Increase product revenues and margins by enhancing modern processes and data monetization. Shift from intuitive to information-based pricing decisions.

    Look at other options for revenue

    Adjust product design, features, packaging, and contract terms while maintaining the functionality customers find valuable to their business.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
    Key deliverable:

    New Pricing Strategy Presentation Template

    Capture key findings for your price strategy with the Optimize Your Pricing in a Volatile Competitive Market Strategy Presentation Template

    Sample of the 'Acme Corp New Product Pricing' blueprint.

    Optimize Software Pricing in a Volatile Competitive Market Executive Brief

    This executive brief will build your knowledge on how to price new products or adjust pricing for existing products.

    Sample of the 'Optimize Software Pricing in a Volatile Competitive Market' blueprint.

    Optimize Software Pricing in a Volatile Competitive Market Workbook

    This workbook will help you prioritize which products require repricing, hold customer interviews, and capture competitive insights.

    Sample of the 'Optimize Software Pricing in a Volatile Competitive Market' workbook.

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with a SoftwareReviews analyst to help implement our best practices in your organization.

    A typical GI is 4 to 8 calls over the course of 2 to 4 months.

    What does a typical GI on optimizing software pricing look like?

    Alignment

    Research & Reprice

    Buy-in

    Call #1: Share the pricing team vision and outline activities for the pricing strategy process. Plan next call – 1 week.

    Call #2: Outline products that require a new pricing approach and steps with finance. Plan next call – 1 week.

    Call #3: Discuss the customer interview process. Plan next call – 1 week.

    Call #4 Outline competitive analysis. Plan next call – 1 week.

    Call #5: Review customer and competitive results for initial new pricing business case with finance for alignment. Plan next call – 3 weeks.

    Call #6: Review the initial business case against financial plans across marketing, sales, and product development. Plan next call – 1 week.

    Call #7 Review the draft executive pricing presentation. Plan next call – 1 week.

    Call #8: Discuss gaps in executive presentation. Plan next call – 3 days.

    SoftwareReviews Offers Various Levels of Support to Meet Your Needs

    Included in Advisory Membership Optional add-ons

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Desire a Guided Implementation?

    • A GI is where your SoftwareReviews engagement manager and executive advisor/counselor will work with SoftwareReviews research team members to craft with you a Custom Key Initiative Plan (CKIP).
    • A CKIP guides your team through each of the major steps, outlines responsibilities between members of your team and SoftwareReviews, describes expected outcomes, and captures actual value delivered.
    • A CKIP also provides you and your team with analyst/advisor/counselor feedback on project outputs, helps you communicate key principles and concepts to your team, and helps you stay on project timelines.
    • If Guided Implementation assistance is desired, contact your engagement manager.

    Workshop overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889
    Day 1 Day 2 Day 3 Day 4 Day 5
    Align Team, Identify Customers, and Document Current Knowledge
    Validate Initial Insights and Identify Competitors and Market View
    Schedule and Hold Buyer Interviews
    Summarize Findings and Provide Actionable Guidance to Stakeholders
    Present, Go Forward, and Measure Impact and Results
    Activities

    1.1 Identify Team Members, roles, and responsibilities

    1.2 Establish timelines and project workflow

    1.3 Gather current product and future financial margin expectations

    1.4 Review the Optimize Software Executive Brief and Workbook Templates

    1.4 Build prioritized pricing candidates hypothesis

    2.1 Identify customer interviewee types by segment, region, etc.

    2.2 Hear from industry analysts their perspectives on the competitors, buyer expectations, and price trends

    2.3 Research competitors for pricing, contract type, and product attributes

    3.2 Review pricing and attributes survey and interview questionnaires

    3.2 Hold interviews and use interview guides (over four weeks)

    A gap of up to 4 weeks for scheduling of interviews.

    3.3 Hold review session after initial 3-4 interviews to make adjustments

    4.1 Review all draft price findings against the market view

    4.2 Review Draft Executive Presentation

    5.1 Review finalized pricing strategy plan with analyst for market view

    5.2 Review for comments on the final implementation plan

    Deliverables
    1. Documented steering committee and working team
    2. Current and initial new pricing targets for strategy
    3. Documented team knowledge
    1. Understanding of market and potential target interviewee types
    2. Objective competitive research
    1. Initial review – “Are we going in the right direction with surveys?”
    2. Validate or adjust the pricing surveys to what you hear in the market
    1. Complete findings and compare to the market
    2. Review and finish drafting the Optimize Software Pricing Strategy presentation
    1. Final impute on strategy
    2. Review of suggested next steps and implementation plan

    Our process

    Align team, perform research, and gain executive buy-in on updated price points

    1. Establish the team and responsibilities
    2. Educate/align team on pricing strategy
    3. Document portfolio & target product(s) for pricing updates
    4. Clarify product target margins
    5. Establish customer price/value
    6. Identify competitive pricing
    7. Establish new price and gain buy-in

    Optimize Software Pricing in a Volatile Competitive Market

    Our process will help you deliver the following outcomes:

    • Well-organized project
    • Clarified product pricing strategy
    • Customer value vs. price equation
    • Competitive price points
    • Approvals

    This project involves the following participants:

    • Product management
    • Program leadership
    • Product marketing
    • CFO or finance representative/partner
    • Others
    • Representative(s) from Sales

    1.0 Assign team responsibilities

    Input: Steering committee roles and responsibilities, Steering committee interest and role

    Output: List of new pricing strategy steering committee and workstream members, roles, and timelines, Updated Software Pricing Strategy presentation

    Materials: Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: CFO, sponsoring executive, Functional leads – development, product marketing, product management, marketing, sales, customer success/support

    1-2 hours
    1. The product manager/member running this pricing/repricing program should review the entire Optimize Software Pricing in a Volatile Competitive Market blueprint and each blueprint attachment.
    2. The product manager should also refer to slide 19 of the Optimize Software Pricing in a Volatile Competitive Market blueprint and decide if help via a Guided Implementation (GI) is of value. If desired, alert your SoftwareReviews engagement manager.
    1-2 hours
    1. The product manager should meet with the chief product officer/CPO and functional leaders, and set the meeting agenda to:
      1. Nominate steering committee members.
      2. Nominate work-stream leads.
      3. Establish key pricing project milestones.
      4. Schedule both the steering committee (suggest monthly) and workstream lead meetings (suggest weekly) through the duration of the project.
      5. Ask the CPO to craft, outside this meeting, his/her version of the "Message from the chief product officer.”
      6. If a Guided Implementation is selected, inform the meeting attendees that a SoftwareReviews analyst will join the next meeting to share his/her Executive Brief on Pricing Strategy.
    2. Record all above findings in the Optimize Software Pricing in a Volatile Competitive Market Presentation Template.

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    SoftwareReviews Advisory Insight:

    Pricing steering committees are needed to steer overall product, pricing, and packaging decisions. Some companies include the CEO and CFO on this committee and designate it as a permanent body that meets monthly to give go/no-go decisions to “all things product and pricing related” across all products and business units.

    2.0 Educate the team

    1 hour

    Input: Typically, a joint recognition that pricing strategies need upgrading and have not been fully documented, Steering committee and working team members

    Output: Communication of team members involved and the makeup of the steering committee and working team, Alignment of team members on a shared vision of “why a new price strategy is critical” and what key attributes define both the need and impact on business

    Materials: Optimize Your Software Strategy Executive Brief PowerPoint presentation

    Participants: Initiative manager – individual leading the new pricing strategy, CFO/sponsoring executive, Working team – typically representatives in product marketing, product management, and sales, SoftwareReviews marketing analyst (optional)

    1. Walk the team through the Optimize Software Pricing in a Volatile Competitive Market Executive Brief PowerPoint presentation.
    2. Optional – Have the SoftwareReviews Advisory (SRA) analyst walk the team through the Optimize Software Pricing in a Volatile Competitive Market Executive Brief PowerPoint presentation as part of your session. Contact your engagement manager to schedule.
    3. Walk the team through the current version of the Optimize Software Pricing in a Volatile Competitive Market Presentation Template outlining project goals, steering committee and workstream make-up and responsibilities, project timeline and key milestones, and approach to arriving at new product pricing.
    4. Set expectations among team members of their specific roles and responsibilities for this project, review the frequency of steering committee and workstream meetings to set expectations of key milestones and deliverable due dates.

    Download the Optimize Software Pricing in a Volatile Competitive Market Executive Brief

    3.0 Document portfolio and target products for pricing update

    1-3 Hours

    Input: List of entire product portfolio

    Output: Prioritized list of product candidates that should be repriced

    Materials: Optimize Software Pricing in a Volatile Competitive Market Executive Brief presentation, Optimize Software Pricing in a Volatile Competitive Market Workbook

    Participants: Initiative manager – individual leading the new pricing strategy, CFO/sponsoring executive, Working team – typically representatives in product marketing, product management, and sales

    1. Walk the team through the current version of Optimize Software Pricing in a Volatile Competitive Market workbook, tab 2: “Product Portfolio Organizer.” Modify sample attributes to match your product line where necessary.
    2. As a group, record the product attributes for your entire portfolio.
    3. Prioritize the product price optimization candidates for repricing with the understanding that it might change after meeting with finance.

    Download the Optimize Software Pricing in a Volatile Competitive Market Workbook

    4.0 Clarify product target margins

    2-3 sessions of 1 Hour each

    Input: Finance partner/CFO knowledge of target product current and future margins, Finance partner/CFO who has information on underlying costs with details that illustrate supplier contributions

    Output: Product finance markup target percentage margins and revenues

    Materials: Finance data on the product family, Optimize Software Pricing in a Volatile Competitive Market Workbook, Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: Initiative manager, Finance partner/CFO

    1. Schedule a meeting with your finance partner/CFO to validate expectations for product margins. The goal is to understand the detail of underlying costs/margins and if the impacts of supplier costs affect the product family. The information will be placed into the Optimize Software Pricing in a Volatile Competitive Market Workbook on tab 2, Product Portfolio Organizer under the “Unit Margins” heading.
    2. Arrive at a final “Cost-Plus New Price” based on underlying costs and target margins for each of the products. Record results in the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 2, under the “Cost-Plus New Price” heading.
    3. Record product target finance markup price under “Cost-Plus” in Optimize Software Pricing in a Volatile Competitive Market Presentation Template, slide 9, and details in Appendix, “Cost-Plus Analysis,” slide 11.
    4. Repeat this process for any other products to be repriced.

    Download the Optimize Software Pricing in a Volatile Competitive Market Workbook

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    5.0 Establish customer price to value

    1-4 weeks

    Input: Identify segments within which you require price-to-value information, Understand your persona insight gaps, Review Sample Interview Guide using the Optimize Software Pricing in a Volatile, Competitive Market Workbook, Tab 4. Interview Guide.

    Output: List of interviewees, Updated Interview Guide

    Materials: Optimize Software Pricing in a Volatile Competitive Market Workbook, Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: Initiative manager, Customer success to help identify interviewees, Customers, prospects

    1. Identify a list of customers and prospects that best represent your target persona when interviewed. Choose interviewees who will inform key differences among key segments (geographies, company size, a mix of customers and prospects, etc.) and who are decision makers and can best inform insights on price/value and competitors.
    2. Recruit interviewees and schedule 30-minute interviews.
    3. Keep track of interviewees using the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 3: “Interviewee Tracking.”
    4. Review the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 4: “Interview Guide,” and modify/update it where appropriate.
    5. Record interviewee perspectives on the “price they are willing to pay for the value received” (price/value equation) using the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 4: “Interview Guide.”
    6. Summarize findings to result in an average “customer’s value price.” Record product target ”customer’s value price” in Optimize Software Pricing in a Volatile Competitive Market Presentation Template, slide 9 and supporting details in Appendix, “Customer Pricing Analysis,” slide 12.

    Download the Optimize Software Pricing in a Volatile Competitive Market Workbook

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    6.0 Identify competitive pricing

    1-2 weeks

    Input: Identify price candidate competitors, Your product pricing, contract type, and product attribute information to compare against, Knowledge of existing competitor information, websites, and technology research sites to guide questions

    Output: Competitive product average pricing

    Materials: Optimize Software Pricing in a Volatile Competitive Market Workbook, Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: Initiative manager, Customers, prospects

    1. Identify the top 3-5 competitors’ products that you most frequently compete against with your selected product.
    2. Perform competitive intelligence research on deals won or lost that contain competitive pricing insights by speaking with your sales force.
    3. Use the interviews with key customers to also inform competitive pricing insights. Include companies which you may have lost to a competitor in your customer interviewee list.
    4. Modify and add key competitive pricing, contract, or product attributes in the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 5: “Competitive Information.”
    5. Place your product’s information into the Optimize Software Pricing in a Volatile Competitive Market Workbook, tab 5: “Competitive Information.”
    6. Research your competitors’ summarized pricing and product attribute insights into the workbook.
    7. Record research in the Summarize research on competitors to arrive at an average “Competitors Avg. Price”. Record in ”Customer’s Value Price” in Optimize Software Pricing in a Volatile Competitive Market Presentation Template, slide 9, and details in Appendix, “Competitor Pricing Analysis,” slide 13.

    Download the Optimize Software Pricing in a Volatile Competitive Market Workbook

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    7.0 Establish new price and gain buy-in

    2-3 hours

    Input: Findings from competitive, cost-plus, and customer price/value analysis

    Output: Approvals for price change

    Materials: Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Participants: Initiative manager, Steering committee, Working team – typically representatives in product marketing, product management, sales

    1. Using prior recorded findings of Customer’s Value Price, Competitors’ Avg. Price, and Finance Markup Price, arrive at a recommended “New Price” and record in Optimize Software Pricing in a Volatile Competitive Market Presentation Template, slide 9 and the Appendix for Project Analysis Details.
    2. Present findings to steering committee. Be prepared to show customer interviews and competitive analysis results to support your recommendation.
    3. Plan internal and external communications and discuss the timing of when to “go live” with new pricing. Discuss issues related to migration to a new price, how to handle currently low-priced customers, and how to migrate them over time to the new pricing.
    4. Identify if it makes sense to target a date to launch the new pricing in the future, so customers can be alerted in advance and therefore take advantage of “current pricing” to drive added revenues.
    5. Confer with IT to assess times required to implement within CPQ systems and with product marketing for time to change sales proposals, slide decks, and any other affected assets and systems.

    Download the Optimize Software Pricing in a Volatile Competitive Market Presentation Template

    Summary of Accomplishment

    Problem Solved

    With the help of this blueprint, you have deepened your and your company’s understanding of how to look at new pricing opportunities and what the market and the buyer will pay for your product. You are among the minority of product and marketing leaders that have thoroughly documented their new pricing strategy and processes – congratulations!

    The benefits of having led your team through the process are significant and include the following:

    • Allow for faster, more accurate intake of customer and competitive data 
    • Refine the ability to effectively target pricing to specific market demands and customer segments 
    • Understand the association between the value proposition of products and services
    • Reduce financial costs and mistakes associated with manual efforts & uneducated guessing
    • Recognize and plan for new revenue opportunities or cost increases
    • Create new market or product packaging opportunities
    And finally, by bringing your team along with you in this process, you have also led your team to become more customer-focused while pricing your products – a strategic shift that all organizations should pursue.

    If you would like additional support, contact us and we’ll make sure you get the professional expertise you need.

    Contact your account representative for more information.

    info@softwarereviews.com
    1-888-670-8889

    Bibliography

    “Chapter 4 Reasons for Project Failure.” Kissflow's Guide to Project Management. Kissflow, n.d. Web.

    Edie, Naomi. “Microsoft Is Raising SaaS Prices, and Other Vendors Will, Too.” CIO Dive, 8 December 2021. Web.

    Gruman, Galen, Alan S. Morrison, and Terril A. Retter. “Software Pricing Trends.” PricewaterhouseCoopers, 2018. Web.

    Hargrave, Marshall. “Example of Economic Exposure.” Investopedia, 12 April 2022. Web.

    Heaslip, Emily. “7 Smart Pricing Strategies to Attract Customers.” CO—, 17 November 2021. Web.

    Higgins, Sean. “How to Price a Product That Your Sales Team Can Sell.” HubSpot, 4 April 2022. Web.

    “Pricing Strategies.” Growth Ramp, March 2022. Web.

    “Product Management Skills Benchmark Report 2021.” 280 Group, 9 November 2021. Web.

    Quey, Jason. “Price Increase: How to Do a SaaS Pricing Change in 8 Steps.” Growth Ramp, 22 March 2021. Web.

    Steenburg, Thomas, and Jill Avery. “Marketing Analysis Toolkit: Pricing and Profitability Analysis.” Harvard Business School, 16 July 2010. Web.

    “2021 State of Competitive Intelligence.” Crayon and SCIO, n.d. Web.

    Valchev, Konstantin. “Cost of Goods Sold (COGS) for Software-as-a-Service (SaaS) Business.” OpenView Venture Partners, OV Blog, 20 April 2020. Web.

    “What Is Price Elasticity?” Market Business News, n.d. Web.

    Document and Maintain Your Disaster Recovery Plan

    • Buy Link or Shortcode: {j2store}417|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $52,224 Average $ Saved
    • member rating average days saved: 38 Average Days Saved
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • Disaster recovery plan (DRP) documentation is often driven by audit or compliance requirements rather than aimed at the team that would need to execute recovery.
    • Between day-to-day IT projects and the difficulty of maintaining 300+ page manuals, DRP documentation is not updated and quickly becomes unreliable.
    • Inefficient publishing strategies result in your DRP not being accessible during disaster or key staff not knowing where to find the latest version.

    Our Advice

    Critical Insight

    • DR documentation fails when organizations try to boil the ocean with an all-in-one plan aimed at auditors, business leaders, and IT. It’s too long, too hard to maintain, and ends up being little more than shelf-ware.
    • Using flowcharts, checklists, and diagrams aimed at an IT audience is more concise and effective in a disaster, quicker to create, and easier to maintain.
    • Create your DRP in layers to keep the work manageable. Start with a recovery workflow to ensure a coordinated response, and build out supporting documentation over time.

    Impact and Result

    • Create visual and concise DR documentation that strips out unnecessary content and is written for an IT audience – the team that would actually be executing the recovery. Your business leaders can take the same approach to create separate business response plans. Don’t mix the two in an all-in-one plan that is not effective for either audience.
    • Determine a documentation distribution strategy that supports ease of maintenance and accessibility during a disaster.
    • Incorporate DRP maintenance into change management procedures to systematically update and refine the DR documentation. Don’t save up changes for a year-end blitz, which turns document maintenance into an onerous project.

    Document and Maintain Your Disaster Recovery Plan Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should adopt a visual-based DRP, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Streamline DRP documentation

    Start by documenting your recovery workflow. Create supporting documentation in the form of checklists, flowcharts, topology diagrams, and contact lists. Finally, summarize your DR capabilities in a DRP Summary Document for stakeholders and auditors.

    • Document and Maintain Your Disaster Recovery Plan – Phase 1: Streamline DRP Documentation

    2. Select the optimal DRP publishing strategy

    Select criteria for assessing DRP tools, and evaluate whether a business continuity management tool, document management solution, wiki site, or manually distributing documentation is best for your DR team.

    • Document and Maintain Your Disaster Recovery Plan – Phase 2: Select the Optimal DRP Publishing Strategy
    • DRP Publishing and Document Management Solution Evaluation Tool
    • BCM Tool – RFP Selection Criteria

    3. Keep your DRP relevant through maintenance best practices

    Learn how to integrate DRP maintenance into core IT processes, and learn what to look for during testing and during annual reviews of your DRP.

    • Document and Maintain Your Disaster Recovery Plan – Phase 3: Keep Your DRP Relevant Through Maintenance Best Practices
    • Sample Project Intake Form Addendum for Disaster Recovery
    • Sample Change Management Checklist for Disaster Recovery
    • DRP Review Checklist
    • DRP-BCP Review Workflow (Visio)
    • DRP-BCP Review Workflow (PDF)

    4. Appendix: XMPL Case Study

    Model your DRP after the XMPL case study disaster recovery plan documentation.

    • Document and Maintain Your Disaster Recovery Plan – Appendix: XMPL Case Study
    • XMPL DRP Summary Document
    • XMPL Notification, Assessment, and Declaration Plan
    • XMPL Systems Recovery Playbook
    • XMPL Recovery Workflows (Visio)
    • XMPL Recovery Workflows (PDF)
    • XMPL Data Center and Network Diagrams (Visio)
    • XMPL Data Center and Network Diagrams (PDF)
    • XMPL DRP Business Impact Analysis Tool
    • XMPL DRP Workbook
    [infographic]

    Workshop: Document and Maintain Your Disaster Recovery Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Streamline DRP Documentation

    The Purpose

    Teach your team how to create visual-based documentation.

    Key Benefits Achieved

    Learn how to create visual-based DR documentation.

    Activities

    1.1 Conduct a table-top planning exercise.

    1.2 Document your high-level incident response plan.

    1.3 Identify documentation to include in your playbook.

    1.4 Create an initial collection of supplementary documentation.

    1.5 Discuss what further documentation is necessary for recovering from a disaster.

    1.6 Summarize your DR capabilities for stakeholders.

    Outputs

    Documented high-level incident response plan

    List of documentation action items

    Collection of 1-3 draft checklists, flowcharts, topology diagrams, and contact lists

    Action items for ensuring that the DRP is executable for both primary and backup DR personnel

    DRP Summary Document

    2 Select the Optimal DRP Publishing Strategy

    The Purpose

    Learn the considerations for publishing your DRP.

    Key Benefits Achieved

    Identify the best strategy for publishing your DRP.

    Activities

    2.1 Select criteria for assessing DRP tools.

    2.2 Evaluate categories for DRP tools.

    Outputs

    Strategy for publishing DRP

    3 Learn How to Keep Your DRP Relevant Through Maintenance Best Practices

    The Purpose

    Address the common pain point of unmaintained DRPs.

    Key Benefits Achieved

    Create an approach for maintaining your DRP.

    Activities

    3.1 Alter your project intake considerations.

    3.2 Integrate DR considerations into change management.

    3.3 Integrate documentation into performance measurement and performance management.

    3.4 Learn best practices for maintaining your DRP.

    Outputs

    Project Intake Form Addendum Template

    Change Management DRP Checklist Template

    Further reading

    Document and Maintain Your Disaster Recovery Plan

    Put your DRP on a diet – keep it fit, trim, and ready for action.

    ANALYST PERSPECTIVE

    The traditional disaster recovery plan (DRP) “red binder” is dead. It takes too long to create, it’s too hard to maintain, and it’s not usable in a crisis.

    “This blueprint outlines the following key tactics to streamline your documentation effort and produce a better result:

    • Write for an IT audience and focus on how to recover. You don’t need 30 pages of fluff describing the purpose of the document.
    • Use flowcharts, checklists, and diagrams over traditional manuals. This drives documentation that is more concise, easier to maintain, and effective in a crisis.
    • Create your DRP in layers to get tangible results faster, starting with a recovery workflow that outlines your DR strategy, and then build out the specific documentation needed to support recovery.”
    (Frank Trovato, Research Director, Infrastructure, Info-Tech Research Group)

    This project is about DRP documentation after you have clarified your DR strategy; create these necessary inputs first

    These artifacts are the cornerstone for any disaster recovery plan.

    • Business Impact Analysis
    • DR Roles and Responsibilities
    • Recovery Workflow

    Missing a component? Start here. ➔ Create a Right-Sized Disaster Recovery Plan

    This blueprint walks you through building these inputs.
    Our approach saves clients on average US$16,825.22. (Clients self-reported an average saving of US$16,869.21 while completing the Create a Right-Sized Disaster Recovery Plan blueprint through advisory calls, guided implementations, or workshops (Info-Tech Research Group, 2017, N=129).)

    How this blueprint will help you document your DRP

    This Research is Designed For:

    • IT managers in charge of disaster recovery planning (DRP) and execution.
    • Organizations seeking to optimize their DRP using best-practice methodology.
    • Business continuity professionals that are involved with disaster recovery.

    This Research Will Help You:

    • Divide the process of creating DR documentation into manageable chunks, providing a defined scope for you to work in.
    • Identify an appropriate DRP document management and distribution strategy.
    • Ensure that DR documentation is up to date and accessible.

    This Research Will Also Assist:

    • IT managers preparing for a DR audit.
    • IT managers looking to incorporate components of DR into an IT operations document.

    This Research Will Help Them:

    • Follow a structured approach in building DR documentation using best practices.
    • Integrate DR into day-to-day IT operations.

    Executive summary

    Situation

    • DR documentation is often driven by audit or compliance requirements, rather than aimed at the team that would need to execute recovery.
    • Traditional DRPs are text-heavy, 300+ page manuals that are simply not usable in a crisis.
    • Compounding the problem, DR documentation is rarely updated, so it’s just shelf-ware.

    Complication

    • DRP is often given lower priority as day-to-day IT projects displace DR documentation efforts.
    • Inefficient publishing strategies result in your DRP not being accessible during disasters or key staff not knowing where to find the latest version.
    • Organizations that create traditional DRPs end up with massive manuals that are difficult to maintain, so they quickly become unreliable.

    Resolution

    • Create visual and concise DR documentation that strips out unnecessary content and is written for an IT audience – the team that would actually be executing the recovery. Your business leaders can take the same approach to create separate business response plans – don’t mix the two into an all-in-one plan that is not effective for either audience.
    • Determine a documentation distribution strategy that supports ease of maintenance and accessibility during a disaster.
    • Incorporate DRP maintenance into change management and project intake procedures to systematically update and refine the DR documentation. Don’t save up changes for a year-end blitz, which turns document maintenance into an onerous project.

    Info-Tech Insight

    1. DR documentation fails when organizations try to boil the ocean with an all-in-one plan aimed at auditors, business leaders, and IT. It’s too long, too hard to maintain, and ends up being little more than shelf-ware.
    2. Using flowcharts, checklists, and diagrams aimed at an IT audience is more concise and effective in a disaster, quicker to create, and easier to maintain.
    3. Create your DRP in layers to keep the work manageable. Start with a recovery workflow to ensure a coordinated response, and build out supporting documentation over time.

    An effective DRP that mitigates a wide range of potential outages is critical to minimizing the impact of downtime

    The criticality of having an effective DRP is underestimated.

    Cost of Downtime for the Fortune 1000
    • Cost of unplanned apps downtime per year: $1.25B to $2.5B
    • Cost of critical apps failure per hour: $500,000 to $1M
    • Cost of infrastructure failure per hour: $100,000
    • 35% reported to have recovered within 12 hours.
    • 17% of infrastructure failures took more than 24 hours to recover.
    • 13% of application failures took more than 24 hours to recover.
    Size of Impact Increasing Across Industries
    • The cost of downtime is rising across the board and not just for organizations that traditionally depend on IT (e.g. e-commerce).
    • Downtime cost increase since 2010:
      • Hospitality: 129% increase
      • Transportation: 108% increase
      • Media organizations: 104% increase
    Potential Lost Revenue
    A line graph of Potential Lost Revenue with vertical axis 'LOSS ($)' and horizontal axis 'TIME'. The line starts with low losses near the origin where 'Incident Occurs', gradually accelerates to higher losses as time passes, then decelerates before 'All Revenue Lost'. Note: 'Delay in recovery causes exponential revenue loss'.
    (Adapted from: Rothstein, Philip Jan. Disaster Recovery Testing: Exercising Your Contingency Plan (2007 Edition).)

    The impact of downtime increases significantly over time, not just in terms of lost revenue (as illustrated here) but also goodwill/reputation and health/safety. An effective DR solution and overall resiliency that mitigate a wide range of potential outages are critical to minimizing the impact of downtime.

    Without an effective DRP, your organization is gambling on being able to define and implement a recovery strategy during a time of crisis. At the very least, this means extended downtime – potentially weeks – and substantial impact.

    Only 38% of those with a full or mostly complete DRP believe their DRPs would be effective in a real crisis

    Organizations continue to struggle with creating DRPs, let alone making them actionable.

    Why are so many living with either an incomplete or ineffective DRP? For the same reasons that IT documentation in general continues to be a pain point:

    • It is an outdated model of what documentation should be – the traditional manual with detailed (lengthy) descriptions and procedures.
    • Despite the importance of DR, low priority is placed on creating a DRP and the day-to-day SOPs required to support a recovery.
    • There is a lack of effective processes for ensuring documentation stays up to date.
    A bar graph documenting percentages of survey responses about the completeness of their DRP. 'Only 20% of survey respondents indicated they have a complete DRP'. 13% said 'No DRP'. 33% said 'Partial DRP'. 34% said 'Mostly Completed'. 20% said 'Full DRP'.
    (Source: Info-Tech Research Group, N=165)
    A bar graph documenting percentages of survey responses about the level of confidence in their DRP. 'Only 38% of those who have a mostly completed or full DRP actually feel it would be effective in a crisis'. 4% said 'Low'. 58% said 'Unsure'. 38% said 'Confident'.
    (Source: Info-Tech Research Group, N=69 (includes only those who indicated DRP is mostly completed or completed))

    Improve usability and effectiveness with visual-based and more-concise documentation

    Choose flowcharts over process guides, checklists over lengthy procedures, and diagrams over descriptions.

    If you need a three-inch binder to hold your DRP, imagine having to flip through it to determine next steps during a crisis.

    DR documentation needs to be concise, scannable, and quickly understood to be effective. Visual-based documentation meets these requirements, so it’s no surprise that it also leads to higher DR success.

    DR success scores are based on:

    • Meeting recovery time objectives (RTOs).
    • Meeting recovery point objectives (RPOs).
    • IT staff’s confidence in their ability to meet RTOs/RPOs.
    A line graph of DR documentation types and their effectiveness. The vertical axis is 'DR Success', from Low to High. The horizontal axis is Documentation Type, from 'Traditional Manual' to 'Primarily flowcharts, checklists, and diagrams'. The line trends up to higher success with visual-based and more-concise documentation.(Source: Info-Tech Research Group, N=95)

    “Without question, 300-page DRPs are not effective. I mean, auditors love them because of the detail, but give me a 10-page DRP with contact lists, process flows, diagrams, and recovery checklists that are easy to follow.” (Bernard Jones, MBCI, CBCP, CORP, Manager Disaster Recovery/BCP, ActiveHealth Management)

    Maintainability is another argument for visual-based, concise documentation

    There are two end goals for your DR documentation: effectiveness and maintainability. Without either, you will not have success during a disaster.

    Organizations using a visual-based approach were 30% more likely to find that DR documentation is easy to maintain. “Easy to maintain” leads to a 46% higher rate of DR success.
    Two bar graphs documenting survey responses regarding maintenance ease of DR documentation types. The first graph compares Traditional Manual vs Visual-based. For 'Traditional Manual' 72% responded they were Difficult to maintain while 28% responded they were Easy to maintain; for 'Visual-based' 42% responded they were Difficult to maintain while 58% responded they were Easy to maintain. Visual-based DR documentation received 30% more votes for Easy to Maintain. The second graph compares success rates of 'Difficult to Maintain' vs 'Easy to Maintain' DR documentation with Difficult being 31% and Easy being 77%, a 46% difference. 'Source: Info-Tech Research Group, N=96'.

    Not only are visual-based disaster recovery plans more effective, but they are also easier to maintain.

    Overcome documentation inertia with a tiered model that allows you to eat the elephant one bite at a time

    Start with a recovery workflow to at least ensure a coordinated response. Then use that workflow to determine required supporting documentation.

    Recovery Workflow: Starting the project with overly detailed documentation can slow down the entire process. Overcome planning inertia by starting with high-level incident response plans in a flowchart format. For examples and additional information, see XMPL Medical’s Recovery Workflows.

    Recovery Procedures (Systems Recovery Playbook): For each step in the high-level flowchart, create recovery procedures where necessary using additional flowcharts, checklists, and diagrams as appropriate. Leverage Info-Tech’s Systems Recovery Playbook example as a starting point.

    Additional Reference Documentation: Reference existing IT documentation, such as network diagrams and configuration documents, as well as more detailed step-by-step procedures where necessary (e.g. vendor documentation), particularly where needed to support alternate recovery staff who may not be as well versed as the primary system owners.

    Info-Tech Insight

    Organizations that use flowcharts, checklist, and diagrams over traditional, dense DRP manuals are far more likely to meet their RTOs/RPOs because their documentation is more usable and easier to maintain.

    Use a DRP summary document to satisfy executives, auditors, and clients

    Stakeholders don’t have time to sift through a pile of paper. Summarize your overall continuity capabilities in one, easy-to-read place.

    DRP Summary Document

    • Summarize BIA results
    • Summarize DR strategy (including DR sites)
    • Summarize backup strategy
    • Summarize testing and maintenance plans

    Follow Info-Tech’s methodology to make DRP documentation efficient and effective

    Phases

    Phase 1: Streamline DRP documentation Phase 2: Select the optimal DRP publishing strategy Phase 3: Keep your DRP relevant through maintenance best practices

    Phases

    1.1

    Start with a recovery workflow

    2.1

    Decide on a publishing strategy

    3.1

    Incorporate DRP maintenance into core IT processes

    1.2

    Create supporting DRP documentation

    3.2

    Conduct an annual focused review

    1.3

    Write the DRP Summary

    Tools and Templates

    End-to-End Sample DRP DRP Publishing Evaluation Tool Project In-take/Request Form

    Change Management Checklist

    Follow XMPL Medical’s journey through DR documentation

    CASE STUDY

    Industry Healthcare
    Source Created by amalgamating data from Info-Tech’s client base

    Streamline your documentation and maintenance process by following the approach outlined in XMPL Medical’s journey to an end-to-end DRP.

    Outline of the Disaster Recovery Plan

    XMPL’s disaster recovery plan includes its business impact analysis and a subset of tier 1 and tier 2 patient care applications.

    Its DRP includes incident response flowcharts, system recovery checklists, and a communication plan. Its DRP also references IT operations documentation (e.g. asset management documents, system specs, and system configuration docs), but this material is not published with the example documentation.

    Resulting Disaster Recovery Plan

    XMPL’s DRP includes actionable documents in the form of high-level disaster response plan flowcharts and system recovery checklists. During an incident, the DR team is able to clearly see the items for which they are responsible.

    Disaster Recovery Plan
    • Recovery Workflow
    • Business Impact Analysis
    • DRP Summary
    • System Recovery Checklists
    • Communication, Assessment, and Disaster Declaration Plan

    Info-Tech Best Practice

    XMPL Medical’s disaster recovery plan illustrates an effective DRP. Model your end-to-end disaster recovery plan after XMPL’s completed templates. The specific data points will differ from organization to organization, but the structure of each document will be similar.

    Model your disaster recovery documentation off of our example

    CASE STUDY

    Industry Healthcare
    Source Created by amalgamating data from Info-Tech’s client base

    Recovery Workflow:

    • Recovery Workflows (PDF, VSDX)

    Recovery Procedures (Systems Recovery Playbook):

    • DR Notification, Assessment, and Disaster Declaration Plan
    • Systems Recovery Playbook
    • Network Topology Diagrams

    Additional Reference Documentation:

    • DRP Workbook
    • Business Impact Analysis
    • DRP Summary Document

    Use Info-Tech’s DRP Maturity Scorecard to evaluate your progress

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Document and Maintain Your Disaster Recovery Plan – Project Overview

    1. Streamline DRP Documentation 2. Select the Optimal DRP Publishing Strategy 3. Keep Your DRP Relevant
    Supporting Tool icon
    Best-Practice Toolkit

    1.1 Start with a recovery workflow

    1.2 Create supporting DRP documentation

    1.3 Write the DRP summary

    2.1 Create Committee Profiles

    3.1 Build Governance Structure Map

    3.2 Create Committee Profiles

    Guided Implementations
    • Review Info-Tech’s approach to DRP documentation.
    • Create a high-level recovery workflow.
    • Create supporting DRP documentation.
    • Write the DRP summary.
    • Identify criteria for selecting a DRP publishing strategy.
    • Select a DRP publishing strategy.
    • Optional: Select requirements for a BCM tool and issue an RFP.
    • Optional: Review responses to RFP.
    • Learn best practices for integrating DRP maintenance into day-to-day IT processes.
    • Learn best practices for DRP-focused reviews.
    Associated Activity icon
    Onsite Workshop
    Module 1:
    Streamline DRP documentation
    Module 2:
    Select the optimal DRP publishing strategy
    Module 3:
    Learn best practices for keeping your DRP relevant
    Phase 1 Outcome:
    • A complete end-to-end DRP
    Phase 2 Outcome:
    • Selection of a publishing and management tool for your DRP documentation
    Phase 3 Outcome:
    • Strategy for maintaining your DRP documentation

    Workshop Overview Associated Activity icon

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Info-Tech Analysts Finalize Deliverables
    Activities
    Assess DRP Maturity and Review Current Capabilities

    0.1 Assess current DRP maturity through Info-Tech’s Maturity Scorecard.

    0.2 Identify the IT systems that support mission-critical business activities, and select 2 or 3 key applications to be the focus of the workshop.

    0.3 Identify current recovery strategies for selected applications.

    0.4 Identify current DR challenges for selected applications.

    Document Your Recovery Workflow

    1.1 Create a recovery workflow: review tabletop planning, walk through DR scenarios, identify DR gaps, and determine how to fill them.

    Create Supporting Documentation

    1.2 Create supporting DRP documentation.

    1.3 Write the DRP summary.

    Establish a DRP Publishing, Management, and Maintenance Strategy

    2.1 Decide on a publishing strategy.

    3.1 Incorporate DRP maintenance into core IT.

    3.2 Considerations for reviewing your DRP regularly.

    Deliverables
    1. Baseline DRP metric (based on DRP Maturity Scorecard)
    1. High-level DRP workflow
    2. DRP gaps and risks identified
    1. Recovery workflow and/or checklist for sample of IT systems
    2. Customized DRP Summary Template
    1. Strategy for selecting a DRP publishing tool
    2. DRP management and maintenance strategy
    3. Workshop summary presentation deck

    Workshop Goal: Learn how to document and maintain your DRP.

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.


    Phase 1: Streamline DRP Documentation

    Step 1.1: Start with a recovery workflow

    PHASE 1
    PHASE 2
    PHASE 3
    1.1 1.2 1.3 2.1 3.1 3.2
    Start with a Recovery Workflow Create Supporting Documentation Write the DRP Summary Select DRP Publishing Strategy Integrate into Core IT Processes Conduct an Annual Focused Review

    This step will walk you through the following activities:

    • Review a model DRP.
    • Review your recovery workflow.
    • Identify documentation required to support the recovery workflow.

    This step involves the following participants:

    • DRP Owner
    • System SMEs
    • Alternate DR Personnel

    Outcomes of this step

    • Understanding the visual-based, concise approach to DR documentation.
    • Creating a recovery workflow that provides a roadmap for coordinating incident response and identifying required supporting documentation.

    Info-Tech Insights

    A DRP is a collection of procedures and supporting documents that allow an organization to recover its IT services to minimize system downtime for the business.

    1.1 — Start with a recovery workflow to ensure a coordinated response and identify required supporting documentation

    The recovery workflow clarifies your DR strategy and ensures the DR team is on the same page.

    Recovery Workflow

    The recovery workflow maps out the incident response plan from event detection, assessment, and declaration to systems recovery and validation.

    This documentation includes:

    • Clarifying initial incident response steps.
    • Clarifying the order of systems recovery and which recovery actions can occur concurrently.
    • Estimating actual recovery timeline through each stage of recovery.
    Recovery Procedures (Playbook)
    Additional Reference Documentation

    “We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management.” (Assistant Director-IT Operations, Healthcare Industry)

    Review business impact analysis (BIA) results to plan your recovery workflow

    The BIA defines system criticality from the business’s perspective. Use it to guide system recovery order.

    Specifically, review the following from your BIA:

    • The list of tier 1, 2, and 3 applications. This will dictate the recovery order in your recovery workflow.
    • Application dependencies. This will outline what needs to be included as part of an application recovery workflow.
    • The recovery time objective (RTO) and recovery point objective (RPO) for each application. This will also guide the recovery, and enable you to identify gaps where the recovery workflow does not meet RTOs and RPOs.

    CASE STUDY: The XMPL DRP documentation is based on this Business Impact Analysis Tool.

    Haven’t conducted a BIA? Use Info-Tech’s streamlined approach.

    Info-Tech’s publication Create a Right-Sized Disaster Recovery Plan takes a very practical approach to BIA work. Our process gives IT leaders a mechanism to quickly get agreement on system recovery order and DR investment priorities.

    Conduct a tabletop planning exercise to determine your recovery workflow

    Associated Activity icon 1.1.1 Tabletop Planning Exercise

    1. Define a scenario to drive the tabletop planning exercise:
      • Use a scenario that forces a full failover to your DR environment, so you can capture an end-to-end recovery workflow.
      • Avoid scenarios that impact health and safety such as tornados or a fire. You want to focus on IT recovery.
      • Example scenarios: Burst water pipe that causes data-center-wide damage or a gas leak that forces evacuation and power to be shut down for at least two days.

    Note: You may have already completed this exercise as part of Create a Right-Sized Disaster Recovery Plan.

    Info-Tech Insight

    Use scenarios to provide context for DR planning, and to test your plans, but don’t create a separate plan for every possibility.

    The high-level recovery plan will be the same whether the incident is a fire, flood, or tornado. While there might be some variances and outliers, these scenarios can be addressed by adding decision points and/or separate, supplementary instructions.

    Walk through the scenario and capture the recovery workflow

    Associated Activity icon 1.1.2 Tabletop Planning Exercise
    1. Capture the following information for tier 1, tier 2, and tier 3 systems:
      1. On white cue cards, record the steps and track start and end times for each step (where 00:00 is when the incident occurred).
      2. On yellow cue cards, document gaps in people, process, and technology requirements to complete the step.
      3. On red cue cards, indicate risks (e.g. no backup person for a key staff member).

    Note:

    • Ensure the language is sufficiently genericized (e.g. refer to events, not specifically a burst water pipe).
    • Review isolated failures (e.g. hardware, software). Typically, the recovery procedure documented for individual systems covers the essence of the recovery workflow whether it’s just the one system that failed or it’s part of a site-wide recovery.

    Note: You may have already completed this exercise as part of Create a Right-Sized Disaster Recovery Plan.

    Document your current-state recovery workflow based on the results of the tabletop planning

    Supporting Tool icon 1.1.2 Incident Response Plan Flowcharts, Tabs 2 and 3

    After you finish the tabletop planning exercise, the steps on the set of cue cards define your recovery workflow. Capture this in a flowchart format.

    Use the sample DRP to guide your own flowchart. Some notes on the example are:

    • XMPL’s Incident Management to DR flowchart shows the connection between its standard Service Desk processes and DR processes.
    • XMPL’s high-level workflows outline its recovery of tier 1, 2, and 3 systems.
    • Where more detail is required, include links to supporting documentation. In this example, XMPL Medical includes links to its Systems Recovery Playbook.
    Preview of an Info-Tech Template depicting a sample flowchart.

    This sample flowchart is included in XMPL Recovery Workflows.

    Step 1.2: Create Supporting DRP Documentation

    PHASE 1
    PHASE 2
    PHASE 3
    1.11.21.32.13.13.2
    Start with a Recovery WorkflowCreate Supporting DocumentationWrite the DRP SummarySelect DRP Publishing StrategyIntegrate into Core IT ProcessesConduct an Annual Focused Review

    This step will walk you through the following activities:

    • Create checklists for your playbook.
    • Document more complex procedures with flowcharts.
    • Gather and/or write network topology diagrams.
    • Compile a contact list.
    • Ensure there is enough material for backup personnel.

    This step involves the following participants:

    • DRP Owner
    • System SMEs
    • Backup DR Personnel

    Outcomes of this step

    • Actionable supporting documentation for your disaster recovery plan.
    • Contact list for IT personnel, business personnel, and vendor support.

    1.2 — Create supporting documentation for your disaster recovery plan

    Now that you have a high-level incident response plan, collect the information you need for executing that plan.

    Recovery Workflow

    Write your recovery procedures playbook to be effective and usable. Your playbook documentation should include:

    • Supplementary flowcharts
    • Checklists
    • Topology diagrams
    • Contact lists
    • DRP summary

    Reference vendors’ technical information in your flowcharts and checklists where appropriate.

    Recovery Procedures (Playbook)

    Additional Reference Documentation

    Info-Tech Insight

    Write for your audience. The playbook is for IT; include only the information they need to execute the plan. DRP summaries are for executives and auditors; do not include information intended for IT. Similarly, your disaster recovery plan is not for business units; keep BCP content out of your DRP.

    Use checklists to streamline step-by-step procedures

    Supporting Tool icon 1.2.1 XMPL Medical’s System Recovery Checklists

    Checklists are ideal when staff just need a reminder of what to do, not how to do it.

    XMPL Medical used its high-level flowcharts as a roadmap for creating its Systems Recovery Playbook.

    • Since its Playbook is intended for experienced IT staff, the writing style in the checklists is concise. XMPL includes links to reference material to support recovery, especially for alternate staff who might need additional instruction.
    • XMPL includes key parameters (e.g. IP addresses) rather than assume those details would be memorized, especially in a stressful DR scenario.
    • Similarly, include links to other useful resources such as VM templates.
    Preview of the Info-Tech Template 'Systems Recovery Playbook'.

    Included in the XMPL Systems Recovery Playbook are checklists for recovering XMPL’s virtual desktop infrastructure, mission-critical applications, and core infrastructure components.

    Use flowcharts to document processes with concurrent tasks not easily captured in a checklist

    Supporting Tool icon 1.2.2 XMPL Medical’s Phone Services Recovery Flowchart

    Recovery procedures can consist of flowcharts, checklists, or both, as well as diagrams. The main goal is to be clear and concise.

    • XMPL Medical created a flowchart to capture its phone services recovery procedure to capture concurrent tasks.
    • Additional instructions, where required, could still be captured in a Playbook checklist or other supporting documentation.
    • The flowchart could have also included key settings or other details as appropriate, particularly if the DR team chose to maintain this recovery procedure just in a flowchart format.
    Preview of the Info-Tech Template 'Recovery Workflows'.

    Included in the XMPL DR documentation is an example flowchart for recovering phone systems. This flowchart is in Recovery Workflows.

    Reference this blueprint for more SOP flowchart examples: Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

    Use topology diagrams to capture network layout, integrations, and system information

    Supporting Tool icon 1.2.4 XMPL Medical’s Data Center and Network Diagrams

    Topology diagrams, key checklists, and configuration settings are often enough for experienced networking staff to carry out their DR tasks.

    • XMPL Medical includes these diagrams with its DRP. Instead of recreating these diagrams, the XMPL Medical DR Manager asked their network team for these diagrams:
      • Primary data center diagram
      • DR site diagram
      • High-level network diagrams
    • Often, organizations already have network topology diagrams for reference purposes.

    “Our network engineers came to me and said our standard SOP template didn't work for them. They're now using a lot of diagrams and flowcharts, and that has worked out better for them.” (Assistant Director-IT Operations, Healthcare Industry)

    Preview of the Info-Tech Template 'Systems Recovery Playbook'.

    You can download a PDF and a VSD version of these Data Center and Network Diagrams from Info-Tech’s website.

    Create a list of organizational, IT, and vendor contacts that may be required to assist with recovery

    If there is something strange happening to your IT infrastructure, who you gonna call?

    Many DR managers have their team on speed dial. However, having the contact info of alternate staff, BCP leads, and vendors can be very helpful during a disaster. XMPL Medical lists the following information in its DRP Workbook:

    • The DR Teams, SMEs critical to disaster recovery, their backups, and key contacts (e.g. BC Management team leads, vendor contacts) that would be involved in:
      • Declaring a disaster.
      • Coordinating a response at an organizational level.
      • Executing recovery.
    • The people that have authority to declare a disaster.
    • Each person’s spending authority.
    • The rules for delegating authority.
    • Primary and alternate staff for each role.
    Example list of alternate staff, BCP leads, and vendors.

    Confirm with your DR team that you have all of the documentation that you need to recover during a disaster

    Associated Activity icon 1.2.7 Group Discussion

    DISCUSS: Is there enough information in your DRP for both primary and backup DR personnel?

    • Is it clear who is responsible for each DR task, including notification steps?
    • Have alternate staff for each role been identified?
    • Does the recovery workflow capture all of the high-level steps?
    • Is there enough documentation for alternate staff (e.g. network specs)?

    Step 1.3: Write the DRP Summary

    PHASE 1
    PHASE 2
    PHASE 3
    1.11.21.32.13.13.2
    Start with a Recovery WorkflowCreate Supporting DocumentationWrite the DRP SummarySelect DRP Publishing StrategyIntegrate into Core IT ProcessesConduct an Annual Focused Review

    This step will walk you through the following activities:

    • Write a DRP summary document.

    This step involves the following participants:

    • DRP Owner

    Outcomes of this step

    • High-level outline of your DRP capabilities for stakeholders such as executives, auditors, and clients.

    Summarize your DR capabilities using a DRP summary document

    Supporting Tool icon 1.3.1 DRP Summary Document

    The sample included on Info-Tech’s website is customized for the XMPL Medical Case Study – use the download as a starting point for your own summary document.

    DRP Summary Document

    XMPL’s DRP Summary is organized into the following categories:

    • DR requirements: This includes a summary of scope, business impact analysis (BIA), risk assessment, and high-level RTOs and achievable RTOs.
    • DR strategy: This includes a summary of XMPL’s recovery procedures, DR site, and backup strategy.
    • Testing and maintenance: This includes a summary of XMPL’s DRP testing and maintenance strategy.

    Be transparent about existing business risks in your DRP summary

    The DRP summary document is business facing. Include information of which business leaders (and other stakeholders) need to be aware.

    • Discrepancies between desired and achievable RTOs? Organizational leadership needs to know this information. Only then can they assign the resources and budget that IT needs to achieve the desired DR capabilities.
    • What is the DRP’s scope? XMPL Medical lists the IT components that will be recovered during a disaster, and components which will not. For instance, XMPL’s DRP does not recover medical equipment, and XMPL has separate plans for business continuity and emergency response coordination.
    Application tier Desired RTO (hh:mm) Desired RPO (hh:mm) Achievable RTO (hh:mm) Achievable RPO (hh:mm)
    Tier 1 4:00 1:00 *90:00 1:00
    Tier 2 8:00 1:00 *40:00 1:00
    Tier 3 48:00 24:00 *96:00 24:00

    The above table to is a snippet from the XMPL DR Summary Document (section 2.1.3.2).

    In the example, the DR team is unable to recover tier 1, 2, and 3 systems within the desired RTO. As such, they clearly communicate this information in the DRP summary, and include action items to address these gaps.

    Phase 2: Select the Optimal DRP Publishing Strategy

    Step 2.1: Select a DRP Publishing Strategy

    PHASE 1
    PHASE 2
    PHASE 3
    1.11.21.32.13.13.2
    Start with a Recovery WorkflowCreate Supporting DocumentationWrite the DRP SummarySelect DRP Publishing StrategyIntegrate into Core IT ProcessesConduct an Annual Focused Review

    This step will walk you through the following activities:

    • Select criteria for assessing DRP tools.
    • Evaluate categories for DRP tools.
    • Optional: Write an RFP for a BCM tool.

    This step involves the following participants:

    • DRP Owner

    Outcomes of this step

    • Identified strategies for publishing your DRP (i.e. making it available to your DR team).

    Info-Tech Insights

    Diversify your publishing strategy to ensure you can access your DRP in a disaster. For example, if you are using a BCM tool or SharePoint Online as your primary documentation repository, also push the DRP to your DR team’s smartphones as a backup in case the disaster affects internet access.

    2.1 — Select a DR publishing and document management strategy that fits your organization

    Publishing and document management considerations:

    Portability/External Access: Assume your primary site is down and inaccessible. Can you still access your documentation? As shown in this chart, traditional strategies of either keeping a copy at another location (e.g. at the failover site) or with staff (e.g. on a USB drive) still dominate, but these aren’t necessarily the best options.
    A bar chart titled 'Portability Strategy Popularity'. 'External Website (wiki site, cloud-based DRP tool, etc.)' scored 16%. 'Failover Site (network drive or redundant SharePoint, etc.)' scored 53%. 'Distribute to Staff (use USB drive, personal email, etc.)' scored 50%. 'Not Accessible Offsite' scored 7%.
    Note: Percentages total more than 100% due to respondents using more than one portability strategy.
    (Source: Info-Tech Research Group, N=118)
    Maintainability/Usability: How easy is it to create, update, and use the documentation? Is it easy to link to other documents as shown in the flowchart and checklist examples? Is there version control? Lack of version control can create a maintenance nightmare as well as issues in a crisis if staff are questioning whether they have the right version.
    Cost/Effort: Is the cost and effort appropriate? For example, a large enterprise may need a formal solution (e.g. DRP tools or SharePoint), but the cost might be hard to justify for a smaller company.

    Pros and cons of potential strategies

    This section will review the following strategies, their pros and cons, and how they meet publishing and document management requirements:

    • DRP tools (e.g. eBRP, Recovery Planner, LDRPS)
    • In-house solutions combining SharePoint and MS Office (or equivalent)
    • Wiki site
    • “Manual” approaches such as storing documents on a USB drive

    Avoid 42 hours of downtime due to a non-diversified publishing strategy

    CASE STUDY

    Industry Municipality
    Source Interview

    Situation

    • A municipal government has recently completed an end-to-end disaster recovery plan.
    • The team is feeling good about the fact that they were able to identify:
      • Relative criticality of applications.
      • Dependencies for each application.
      • Incident response plans for the current state and desired state.
      • System recovery procedures.

    Challenge

    • While the DR plan itself was comprehensive, the team only published the DR onto the government’s network drives.
    • A power generation issue caused power to be shut down, which in turn cascaded into downtime for the network.
    • Once the network was down, their DRP was inaccessible.

    Insights

    • Each piece of documentation that was created could have contributed to recovery efforts. However, because they were inaccessible, there was a delayed response to the incident. The result was 42 hours of downtime for end users.
    • Having redundant publishing strategies is just like having redundant IT infrastructure. In the event of downtime, not only do you need to have DR documentation, but you also need to make sure that it is accessible.

    Decide on a DR publishing strategy by looking at portability, maintainability, cost, and required effort

    Supporting Tool icon 2.1.1 DRP Publishing and Management Evaluation Tool

    Use the information included in Step 2.1 to guide your analysis of DRP publishing solutions.

    The tool enables you to compare two possible solutions based on these key considerations discussed in this section:

    • Portability/external access
    • Maintainability/usability
    • Cost
    • Effort

    The right choice will depend on factors such as current in-house tools, maturity around document management, the size of your IT department, and so on.

    For example, a small shop may do very well with the USB drive strategy, whereas a multi-national company will need a more formal strategy to manage consistent DRP distribution.

    Preview of Info-Tech's 'DRP Publishing and Management Solution Evaluation Tool'.

    The DRP Publishing and Management Solution Evaluation Tool helps you to evaluate the tools included in this section.

    Don’t think of a business continuity management (BCM) tool as a silver bullet; know what you’re getting out of it

    Portability/External Access:
    • Pros: Typically a SaaS option provides built-in external access with appropriate security and user administration to vary access rights.
    • Cons: Degree of external access is often dependent on the vendor.
    Maintainability/Usability:
    • Pros: Built-in templates encourage consistency and guide initial content development by indicating what details need to be captured.
    • Pros: Built-in document management (e.g. version control, metadata support), centralized access/navigation to required documents, and some automation (e.g. update contacts throughout the system).
    • Cons: Not a silver bullet. You still have to do the work to define and capture your processes.
    • Cons: Requires end-user and administrator training.
    Cost/Effort:
    • Pros: For large enterprises, the convenience of built-in document management and templates can outweigh the cost.
    • Cons: Expect leading DRP tools to cost $20K or more per year.

    About this approach:
    BCM tools are solutions that provide templates, tools, and document management to create BC and DR documentation.

    Info-Tech Insight

    The business case for a BCM tool is built by answering the following questions:

    • Will the BCM tool solve an unmet need?
    • Will the tool be more effective and efficient than an in-house solution?
    • Will the solution provide enhanced capabilities that an in-house solution cannot provide?

    If you cannot get a satisfactory answer to each of these questions, then opt for an in-house solution.

    “We explored a DRP tool, and it was something we might have used, but it was tens of thousands of pounds per year, so it didn’t stack up financially for us at all.” (Rik Toms, Head of Strategy – IP and IT, Cable and Wireless Communications)

    For in-house solutions, leverage tools such as SharePoint to provide document management capabilities

    Portability/External Access:
    • Pros: SharePoint is commonly web-enabled and supports external access with appropriate security and user administration.
    • Cons: Must be installed at redundant sites or be cloud-based to be effective in a crisis that takes down your primary data center.
    Maintainability/Usability:
    • Pros: Built-in document management (e.g. version control, metadata support) as well as centralized access/navigation to required documents.
    • Pros: No tool learning curve – SharePoint and MS Office would be existing solutions already used on a daily basis.
    • Cons: No built-in automation (e.g. automated updates to contacts throughout the system).
    • Cons: Consistency depends on creating templates and implementing processes for document updates, review, and approval.
    Cost/Effort:
    • Pros: Using existing tools, so this is a sunk cost in terms of capex.
    • Cons: Additional effort required to create templates and manage the documentation library.

    About this approach:
    DRPs and SOPs most often start as MS Office documents, even if there is a DRP tool available. For organizations that elect to bypass a formal DRP tool, and most do, the biggest gap they have to overcome is document management.

    Many organizations are turning to SharePoint to meet this need. For those that already have SharePoint in place, it makes sense to further leverage SharePoint for DR documentation and day-to-day SOPs.

    For SharePoint to be a practical solution, the documentation must still be accessible if the primary data center is down, e.g. by having redundant SharePoint instances at multiple in-house locations, or using a cloud-based SharePoint solution.

    “Just about everything that a DR planning tool does, you can do yourself using homegrown solutions or tools that you're already familiar with such as Word, Excel, and SharePoint.” (Allen Zuk, President and CEO, Sierra Management Consulting)

    A healthcare company uses SharePoint as its DRP and SOP documentation management solution

    CASE STUDY Healthcare

    • This organization is responsible for 50 medical facilities across three states.
    • It explored DRP tools, but didn’t find the right fit, so it has developed an in-house solution based in SharePoint. While DRP tools have improved, the organization no longer needs that type of solution. Its in-house solution is meeting its needs.
    • It has SharePoint instances at multiple locations to ensure availability if one site is down.

    Documentation Strategy

    • Created an IT operations library in SharePoint for DR and SOPs, from basic support to bare-metal restore procedures.
    • SOPs are linked from SharePoint to the virtual help desk for greater accessibility.
    • Where practical, diagrams and flowcharts are used, e.g. DR process flowcharts and network services SOPs dominated by diagrams and flowcharts.

    Management Strategy

    • Directors and the CIO have made finishing off SOPs their performance improvement objective for the year. The result is staff have made time to get this work done.
    • Status updates are posted monthly, and documentation is a regular agenda item in leadership meetings.
    • Regular tabletop testing validates documentation and ensures familiarity with procedures, including where to find required information.

    Results

    • Dependency on a few key individuals has been reduced. All relevant staff know what they need to do and where to access required documentation.
    • SOPs are enabling DR training as well as day-to-day operations training for new staff.
    • The organization has a high confidence in its ability to recovery from a disaster within established timelines.

    Explore using a wiki site as an inexpensive alternative to SharePoint and other content management solutions

    Portability/External Access:
    • Pros: Wiki sites can support external access as with any web solution.
    • Cons: Must be installed at redundant sites, hosted, or cloud-based to be effective in a crisis that takes down your primary data center.
    Maintainability/Usability:
    • Pros: Built-in document management (version control, metadata support, etc.) as well as centralized access/navigation to required information.
    • Pros: Authorized users can make updates dynamically, depending on how much restriction you have on the site.
    • Cons: No built-in automation (e.g. automated updates to contacts throughout the system).
    • Cons: Consistency depends on creating templates and implementing processes for document updates, review, and approval.
    Cost/Effort:
    • Pros: An inexpensive option compared to traditional content management solutions such as SharePoint.
    • Cons: Learning curve if wikis are new to your organization.

    About this approach:
    Wiki sites are websites where users collaborate to create and edit the content. Wikipedia is an example.

    While wiki sites are typically used for collaboration and dynamic content development, the traditional collaborative authoring model can be restricted to provide structure and an approval process.

    Several tools are available to create and manage wiki sites (and other collaboration solutions), as outlined in the following research:

    Info-Tech Insight

    If your organization is not already using wiki sites, this technology can introduce a culture shock. Start slow by using a wiki site within a specific department or for a particular project. Then evaluate how well your staff adapt to this technology as well as its potential effectiveness in your organization. Refer to our collaboration strategy research for additional guidance.

    For small IT shops, distributing documentation to key staff (e.g. via a USB drive) can still be effective

    Portability/External Access:
    • Pros: Appropriate staff have the documentation with them; there is no need to log into a remote site or access a tool to get at the information.
    • Cons: Relies on staff to be diligent about ensuring they have the latest documentation and keep it with them (not leave it in their desk drawer).
    Maintainability/Usability:
    • Pros: With this strategy, MS Office (or equivalent) is used to create and maintain the documentation, so there is no learning curve.
    • Pros: Simple, straightforward methodology – keep the master on a network drive, and download a copy to your USB drive.
    • Cons: No built-in automation (e.g. automated updates to contact information) or document management (e.g. version control).
    • Cons: Consistency depends on creating templates and implementing rigid processes for document updates, review, and approval.
    Cost/Effort:
    • Pros: Little to no cost and no tool management required.
    • Cons: “Manual” document management requires strict attention to process for version control, updates, approvals, and distribution.

    About this approach:
    With this strategy, your ERT and key IT staff keep a copy of your DRP and relevant documentation with them (e.g. on a USB drive). If the primary site experiences a major event, they have ready access to the documentation.

    Fifty percent of respondents in our recent survey use this strategy. A common scenario is to use a shared network drive or a solution such as SharePoint as the master centralized repository, but distribute a copy to key staff.

    Info-Tech Insight

    This approach can have similar disadvantages as using hard copies. Ensuring the USB drives are up to date, and that all staff who might need access have a copy, can become a burdensome process. More often, USB drives are updated periodically, so there is the risk that the information will be out of date or incomplete.

    Avoid extensive use of paper copies of DR documentation

    DR documents need to be easy to update, accessible from anywhere, and searchable. Paper doesn’t meet these needs.

    Portability/External Access:
    • Pros: Does not rely on technology or power.
    • Cons: Requires all staff who might be involved in a DR to have a copy, and to have it with them at all times, to truly have access at any time from anywhere.
    Maintainability/Usability:
    • Pros: In terms of usability, again there is no dependence on technology.
    • Cons: Updates need to be printed and distributed to all relevant staff every time there is a change to ensure staff have access to the latest, most accurate documentation if a disaster occurred. You can’t schedule disasters, so information needs to be current all the time.
    • Cons: Navigation to other information is manual – flipping through pages, etc. No searching or hyperlinks.
    Cost/Effort:
    • Pros: No technology system to maintain, aside from what you use for printing.
    • Cons: Printing expenses are actually among the highest incurred by organizations, and this adds to it.
    • Cons: Labor intensive due to need to print and physically distribute documentation updates.

    About this approach:
    Traditionally DRPs are printed and distributed to managers and/or kept in a central location at both the primary site and a secondary site. In addition, wallet cards are distributed that contain key information such as contact numbers.

    A wallet card or even a few printed copies of your high-level DRP for general reference can be helpful, but paper is not a practical solution for your overall DR documentation library, particularly when you include SOPs for recovery procedures.

    One argument in favor of paper is there is no dependency on power during a crisis. However, in a power outage, staff can use smartphones and potentially laptops (with battery power) to access electronically stored documentation to get through first response steps. In addition, your DR site should have backup power to be an appropriate recovery site.

    Optional: Partial list of BCM tool vendors

    A partial list of BCM tool vendors, including: Business Protector, catalyst, clearview, ContinuityLogic. Fusion, Logic Manager, Quantivate, RecoveryPlanner.com, MetricStream, SimpleRisk, riskonnect, Strategic BCP - ResilienceONE, RSA, and Sungard Availability Services.

    The list is only a partial list of BCM tool vendors. The order in which vendors are presented, and inclusion in this list, does not represent an endorsement.

    Optional: Use our list of requirements as a foundation for selecting and reviewing BCM tools

    Supporting Tool icon 2.1.2 BCM Tool – RFP Selection Criteria

    If a BCM tool is the best option for your environment, expedite the evaluation process with our BCM Tool – RFP Selection Criteria.

    Through advisory services, workshops, and consulting engagements, we have created this BCM Tool Requirements List. The featured requirements includes the following categories:

    1. Integrations
    2. Planning and Monitoring
    3. Administration
    4. Architecture
    5. Security
    6. Support and Training
    Preview of the Info-Tech template 'BCM Tool – RFP Selection Criteria'.

    This BCM Tool – RFP Selection Criteria can be appended to an RFP. You can leverage Info-Tech’s RFP Template if your organization does not have one.

    Info-Tech can write full RFPs

    As part of a consulting engagement, Info-Tech can write RFPs for BCM tools and provide a customized scoring tool based on your environment’s unique requirements.

    Phase 3: Keep Your DRP Relevant Through Maintenance Best Practices

    Step 3.1: Integrate DRP maintenance into core IT processes

    PHASE 1
    PHASE 2
    PHASE 3
    1.11.21.32.13.13.2
    Start with a Recovery WorkflowCreate Supporting DocumentationWrite the DRP SummarySelect DRP Publishing StrategyIntegrate into Core IT ProcessesConduct an Annual Focused Review

    This step will walk you through the following activities:

    • Integrate DRP maintenance with Project Management.
    • Integrate DRP considerations into Change Management.
    • Integrate with Performance Management.

    This step involves the following participants:

    • DRP Owner
    • Head of Project Management Office
    • Head of Change Advisory Board
    • CIO

    Outcomes of this step

    • Updated project intake form.
    • Updated change management practice.
    • Updated performance appraisals.

    3.1 — Incorporate DRP maintenance into core IT processes

    Focusing on these three processes will help ensure that your plan stays current, accurate, and usable.

    The Info-Tech / COBIT5 'IT Management and Governance Framework' with three processes highlighted: 'MEA01 Performance Measurement', 'BAI06 Change Management', and 'BAI01 Project Management'.

    Info-Tech Best Practice

    Prioritize quick wins that will have large benefits. The advice presented in this section offers easy ways to help keep your DRP up to date. These simple solutions can save a lot of time and effort for your DRP team as opposed to more intricate changes to the processes above.

    Assess how new projects impact service criticality and DR requirements upfront during project intake

    Icon for process 'BAI01 Project Management'.
    Supporting Tool icon 3.1.1 Sample Project Intake Form Addendum

    Understand the RTO/RPO requirements and IT impacts for new or enhanced services to ensure appropriate provisioning and overall DRP updates.

    • Have submitters include service continuity requirements. This information can be inserted into your business impact analysis. Use similar language that you use in your own BIA.
      • The submitter should know how critical the resulting project will be. Any items that the submitter doesn’t know, the Project Steering Committee should investigate.
    • Have IT assess the impact on the DRP. The submitter will not know how the DRP will be impacted directly. Ask the project committee to consider how DRP documentation and the DR environment will need to be changed due to the project under consideration.

    Note: The goal is not to make DR a roadblock, but rather to ensure project requirements will be met – including availability and DR requirements.

    Preview of the Info-Tech template 'Project Intake Form'.

    This Project Intake Form asks the submitter to fill out the availability and criticality requirements for the project.

    Leverage your change management process to identify required DRP updates as they occur

    Icon for process 'BAI06 Change Management'.

    Avoid the year-end rush to update your DRP. Keeping it up to date as changes occur saves time in the long run and ensures your plan is accurate when you need it.

    • As part of your change management process, identify potential updates to:
      • System documentation (e.g. configuration settings).
      • Recovery procedures (e.g. if a system has been virtualized, that changes the recovery procedure).
      • Your DR environment (e.g. system configuration updates for standby systems).
    • Keep track of how often a system has changed. Relevant DRP documentation might be due for a deeper review:
      • After a system has been changed ten times (even from routine changes), notify your DRP Manager to flag the relevant DRP documentation for review.
      • As part of formal DRP reviews, pay closer attention to DRP documentation for the flagged systems.
    Preview of the Info-Tech template 'Disaster Recovery Change Management'.

    This template asks the submitter to fill out the availability and criticality requirements for the project.

    For change management best practices beyond DRP considerations, please see Optimize Change Management.

    Integrate documentation into performance measurement and performance management

    Icon for process 'MEA01 Performance Measurement'.

    Documentation is a necessary evil – few like to create it and more immediate tasks take priority. If it isn’t scheduled and prioritized, it won’t happen.

    Why documentation is such a challenge

    How management can address these challenges

    We all know that IT staff typically do not like to write documentation. That’s not why they were hired, and good documentation is not what gets them promoted. Include documentation deliverables in your IT staff’s performance appraisal to stress the importance of ensuring documentation is up to date, especially where it might impact DR success.
    Similarly, documentation is secondary to more urgent tasks. Time to write documentation is often not allocated by project managers. Schedule time for developing documentation, just like any other project, or it won’t happen.
    Writing manuals is typically a time-intensive task. Focus on what is necessary for another experienced IT professional to execute the recovery. As discussed earlier, often a diagram or checklist is good enough and actually far more usable in a crisis.

    “Our directors and our CIO have tied SOP work to performance evaluations, and SOP status is reviewed during management meetings. People have now found time to get this work done.” (Assistant Director – IT Operations, Healthcare Industry)

    Step 3.2: Conduct an Annual Focused Review

    PHASE 1
    PHASE 2
    PHASE 3
    1.11.21.32.13.13.2
    Start with a Recovery WorkflowCreate Supporting DocumentationWrite the DRP SummarySelect DRP Publishing StrategyIntegrate into Core IT ProcessesConduct an Annual Focused Review

    This step will walk you through the following activities:

    1. Identify components of your DRP to refresh.
    2. Identify organizational changes requiring further focus.
    3. Test your DRP and identify problems.
    4. Correct problems identified with DRP.

    This step involves the following participants:

    • DRP Owner
    • System SMEs
    • Backup DR Personnel

    Outcomes of this step

    • An actionable, up-to-date DRP.

    Info-Tech Insight

    Testing is a waste of time and resources if you do not fix what’s broken. Tabletop testing is effective at uncovering gaps in your DR processes, but if you don’t address those gaps, then your DRP will still be unusable in a disaster.

    Set up a safety net to capture changes that slipped through the cracks with a focused review process

    Evaluate documentation supporting high-priority systems, as well as documentation supporting IT systems that have been significantly changed.

    • Ideally you’re maintaining documentation as you go along. But you need to have an annual review to catch items that may have slipped through.
    • Don’t review everything. Instead, review:
      • IT systems that have had 10+ changes: small changes and updates can add up over time. Ensure:
        • The plans for these systems are updated for changes (e.g. configuration changes).
        • SMEs and backup personnel are familiar with the changes.
      • Tier 1 / Gold Systems: Ensure that you can still recover tier 1 systems with your existing DRP documentation.
    • Track documentation issues that you discovered with your ticketing system or service desk tool to ensure necessary documentation changes are made.
    1. Annual Focused Review
    2. Tier 1 Systems
    3. Significantly Changed Systems
    4. Organizational Changes

    Identify larger changes, both organizational and within IT, that necessitate DRP updates

    During your focused review, consider how organizational changes have impacted your DRP.

    The COBIT 5 Enablers provide a foundation for this analysis. Consider:

    • Changes in regulatory requirements: Are there new requirements for IT that are not reflected in your DRP? Is the organization required to comply with any additional regulations?
    • Changes to organizational structures, business processes, and how employees work: Can employees still be productive once tier 1 services are restored or have RTOs changed? Has organizational turnover impacted your DRP?
    • SMEs leaving or changing roles: Can IT still execute your DRP? Are there still people for all the key roles?
    • Changes to IT infrastructure and applications: Can the business still access the information they need during a disaster? Is your BIA still accurate? Do new services need to be considered tier 1?

    Info-Tech Best Practice

    COBIT 5 Enablers
    What changes need to be reflected in your DRP?

    A cycle visualization titled 'Disaster Recovery Plan'. Starting at 'Changes in Regulatory Requirements', it proceeds clockwise to 'Organizational Structure', 'Changes in Business Processes', and 'How Employees Work', before it returns to DRP. Then 'Changes to Applications', 'Changes to Infrastructure', 'SMEs Leaving or Changing Roles', and then back to the DRP.

    Create a plan during your annual focused review to test your DRP throughout the year

    Regardless of your documentation approach, training and familiarity with relevant procedures is critical.

    • Start with tabletop exercises and progress to technology-based testing (simulation, parallel, and full-scale testing).
    • Ask staff to reference documentation while testing, even if they do not need to. This practice helps to confirm documentation accuracy and accessibility.
    • Incorporate cross-training in DR testing. This gives important experience to backup personnel and will further validate that documents are complete and accurate.
    • Track any discovered documentation issues with your ticketing system or project tracking tools to ensure necessary documentation changes are made.

    Example Test Schedule:

    1. Q1: Tabletop testing shadowed by backup personnel
    2. Q2: Tabletop testing led by backup personnel
    3. Q3: Technology-based testing
    4. Annual Focused Review: Review Results

    Reference this blueprint for guidance on DRP testing plans: Reduce Costly Downtime Through DR Testing

    Appendix A: XMPL Case Study

    Follow XMPL Medical’s journey through DR documentation

    CASE STUDY

    Industry Healthcare
    Source Created by amalgamating data from Info-Tech’s client base

    Streamline your documentation and maintenance process by following the approach outlined in XMPL Medical’s journey to an end-to-end DRP.

    Outline of the Disaster Recovery Plan

    XMPL’s disaster recovery plan includes its business impact analysis and a subset of tier 1 and tier 2 patient care applications.

    Its DRP includes incident response flowcharts, system recovery checklists, and a communication plan. Its DRP also references IT operations documentation (e.g. asset management documents, system specs, and system configuration docs), but this material is not published with the example documentation.

    Resulting Disaster Recovery Plan

    XMPL’s DRP includes actionable documents in the form of high-level disaster response plan flowcharts and system recovery checklists. During an incident, the DR team is able to clearly see the items for which they are responsible.

    Disaster Recovery Plan
    • Recovery Workflow
    • Business Impact Analysis
    • DRP Summary
    • System Recovery Checklists
    • Communication, Assessment, and Disaster Declaration Plan

    Info-Tech Best Practice

    XMPL Medical’s disaster recovery plan illustrates an effective DRP. Model your end-to-end disaster recovery plan after XMPL’s completed templates. The specific data points will differ from organization to organization, but the structure of each document will be similar.

    Model your disaster recovery documentation off of our example

    CASE STUDY

    Industry Healthcare
    Source Created by amalgamating data from Info-Tech’s client base

    Recovery Workflow:

    • Recovery Workflows (PDF, VSDX)

    Recovery Procedures (Systems Recovery Playbook):

    • DR Notification, Assessment, and Disaster Declaration Plan
    • Systems Recovery Playbook
    • Network Topology Diagrams

    Additional Reference Documentation:

    • DRP Workbook
    • Business Impact Analysis
    • DRP Summary Document

    Use our structure to create your practical disaster recovery plan.

    Appendix B: Summary, Next Steps, and Bibliography

    Insight breakdown

    Use visual-based documentation instead of a traditional DRP manual.

    • Flowcharts, checklists, and diagrams are more concise, easier to maintain, and more effective in a crisis.
    • Write for an IT audience and focus on how to recover. You don’t need 30 pages of fluff describing the purpose of the document.

    Create your DRP in layers to keep the work manageable.

    • Start with a recovery workflow to ensure a coordinated response, and build out supporting documentation over time.

    Prioritize quick wins to make DRP maintenance easier and more likely to happen.

    • Incorporate DRP maintenance into change management and project intake procedures to systematically update and refine the DR documentation. Don’t save up changes for a year-end blitz, which turns document maintenance into an onerous project.

    Summary of accomplishment

    Knowledge Gained

    • How to create visual-based DRP documentation
    • How to integrate DRP maintenance into core IT processes

    Processes Optimized

    • DRP documentation creation
    • DRP publishing tool selection
    • DRP documentation maintenance

    Deliverables Completed

    • DRP documentation
    • Strategy for publishing your DRP
    • Modified project-intake form
    • Change management checklist for DR considerations

    Project step summary

    Client Project: Document and Maintain Your Disaster Recovery Plan

    • Create a recovery workflow.
    • Create supporting DRP documentation.
    • Write a summary for your DRP.
    • Decide on a publishing strategy.
    • Incorporate DRP maintenance into core IT processes.
    • Conduct an annual focused review.

    Info-Tech Insight

    This project has the ability to fit the following formats:

    • Onsite workshop by Info-Tech Research Group consulting analysts.
    • Do-it-yourself with your team.
    • Remote delivery (Info-Tech Guided Implementation).

    Related Info-Tech research

    Create a Right-Sized Disaster Recovery Plan
    Close the gap between your DR capabilities and service continuity requirements.

    Reduce Costly Downtime Through DR Testing
    Improve the accuracy of your DRP and your team’s ability to efficiently execute recovery procedures through regular DR testing.

    Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind
    Go beyond satisfying auditors to drive process improvement, consistent IT operations, and effective knowledge transfer.

    Prepare for a DRP Audit
    Assess your current DRP maturity, identify required improvements, and complete an audit-ready DRP summary document.

    Bibliography

    A Structured Approach to Enterprise Risk Management (ERM) and the Requirements of ISO 31000. The Association of Insurance and Risk Managers, Alarm: The Public Risk Management Association, and The Institute of Risk Management, 2010.

    “APO012: Manage Risk.” COBIT 5: Enabling Processes. ISACA, 2012.

    Bird, Lyndon, Ian Charters, Mel Gosling, Tim Janes, James McAlister, and Charlie Maclean-Bristol. Good Practice Guidelines: A Guide to Global Good Practice in Business Continuity. Global ed. Business Continuity Institute, 2013.

    COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. ISACA, 2012.

    “EDM03: Ensure Risk Optimisation.” COBIT 5: Enabling Processes. ISACA, 2012.

    Risk Management. ISO 31000:2009.

    Rothstein, Philip Jan. Disaster Recovery Testing: Exercising Your Contingency Plan. Rothstein Associates: 1 Oct. 2007.

    Societal Security – Business continuity management systems – Guidance. ISO 22313:2012.

    Societal Security – Business continuity management systems – Requirements. ISO 22301:2012.

    Understanding and Articulating Risk Appetite. KPMG, 2008.

    Effectively Recognize IT Employees

    • Buy Link or Shortcode: {j2store}547|cart{/j2store}
    • member rating overall impact (scale of 10): 8.0/10 Overall Impact
    • member rating average dollars saved: $100 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • Even when organizations do have recognition programs, employees want more recognition than they currently receive.
    • In a recent study, McLean & Company found that 69% of IT employees surveyed felt they were not adequately praised and rewarded for superior work.
    • In a lot of cases, the issue with recognition programs isn’t that IT departments haven’t thought about the importance but rather that they haven’t focused on proper execution.

    Our Advice

    Critical Insight

    • You’re busy – don’t make your recognition program more complicated than it needs to be. Focus on day-to-day ideas and actively embed recognition into your IT team’s culture.
    • Recognition is impactful independent of rewards (i.e. items with a monetary value), but rewarding employees without proper recognition can be counterproductive. Put recognition first and use rewards as a way to amplify its effectiveness.

    Impact and Result

    • Info-Tech tools and guidance will help you develop a successful and sustainable recognition program aligned to strategic goals and values.
    • By focusing on three key elements – customization, alignment, and transparency – you can improve your recognition culture within four weeks, increasing employee engagement and productivity, improving relationships, and reducing turnover.

    Effectively Recognize IT Employees Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement an IT employee recognition program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Effectively Recognize IT Employees – Executive Brief
    • Effectively Recognize IT Employees – Phases 1-3

    1. Assess the current recognition landscape

    Understand the current perceptions around recognition practices in the organization and determine the behaviors that your program will seek to recognize.

    • Effectively Recognize IT Employees – Phase 1: Assess the Current Recognition Landscape
    • IT Employee Recognition Survey Questions

    2. Design the recognition program

    Determine the structure and processes to enable effective recognition in your IT organization.

    • Effectively Recognize IT Employees – Phase 2: Design the Recognition Program
    • Employee Recognition Program Guide
    • Employee Recognition Ideas Catalog
    • Employee Recognition Nomination Form

    3. Implement the recognition program

    Rapidly build and roll out a recognition action and sustainment plan, including training managers to reinforce behavior with recognition.

    • Effectively Recognize IT Employees – Phase 3: Implement the Recognition Program
    • Recognition Action and Communication Plan
    • Manager Training: Reinforce Behavior With Recognition
    [infographic]

    What is resilience?

    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A

    Aside from the fact that operational resilience is mandated by law as of January 2025 (yes, next year), having your systems and applications available to your customers whenever they need your services is always a good idea. Customers, both existing and new ones, typically prefer smooth operations over new functionality. If you have any roadblocks in your current customer journey, then solving those is also part of operational resilience (and excellence).

    Does this mean you should not market new products or services? Of course not! Solving a customer journey roadblock is ensuring that your company is resilient. The Happy Meal is a prime example: it solved a product roadblock for small children and a profits roadblock for the company. For more info, just google it. But before you bring a new service online, be sure that it can withstand the punches that will be thrown at it. 

    What is resilience? 

    Resilience is the art of making sure your services are available to your customers whenever they can use them. Note I did not say 24/7/365. Your business may require that, but perhaps your systems need "only" to be available during "normal" business hours.

    Resilient systems can withstand adverse events that impair their ability to perform normal functions, and, like in the case the Happy Meals, increased peak demands. Events can include simple breakdowns (like a storage device, an internet connection that fails, or a file that fails to load) or something worse, like a cyber attack or a larger failure in your data center.

    Your client does not care what the cause is; what counts for the client is, "Can I access your service? (or buy that meal for my kid.)"

    Resilience entails several aspects:

    • availability
    • performance
    • right-sizing
    • hardening
    • restore-ability
    • testing
    • monitoring
    • management and governance

    It is now tempting to apply these aspects only to your organization's IT or technical parts. That is insufficient. Your operations, management, and even e.g. sales must ensure that services rendered result in happy clients and happy shareholders/owners. The reason is that resilient operations are a symphony. Not one single department or set of actions will achieve this. When you have product development working with the technical teams to develop a resilient flow at the right level for its earning potential, then you maximize profits.

    This synergy ensures that you invest exactly the right level of resources. There are no exaggerated technical or operational elements for ancillary services. That frees resources to ensure your main services receive the full attention they deserve.

    Resilience, in other words, is the result of a mindset and a way of operating that helps your business remain at the top of its game and provides a top service to clients while keeping the bottom line in the black. 

    Why do we need to spend on this?

    I mean, if it ain't broke, don't fix it. That old adage is true, and yet not. Services can remain up and running for a long time with single points of failure. But can you afford to have them break at any time? If yes, and your customers don't mind waiting for you to patch things up, then you can "risk-accept" that situation. But how realistic is that these days? If I cannot buy it at your shop today, I'll more than likely get it from another. If I'm in a contract with you, yet you cannot deliver, we will have a conversation, or at the very least, a moment of disappointment. If you have enough "disappointments," you will lose the customer. Lose enough customers, and you will have a reputational problem or worse.

    We don't like to spend resources on something that "may"go wrong. We do risk assessments to determine the true cost of non-delivery and the likelihood of that happening. And there are different ways to deal with that assessment's outcome. Not everything needs to have double the number of people working on it, just in case one resignes. Not every system needs an availability of 99,999%.

    But sometimes, we do not have a choice. When lives are at stake, like in medical or aviation services, being sorry is not a good starting point. The same goes for financial services. the DORA and NIS2 legislation in the EU, the CEA, FISMA, and GLBA in the US, and ESPA in Japan, to name a few, are legislations that require your company, if active in the relevant regulated sectors, to comply and ensure that your services continue to perform.

    Most of these elements have one thing in common: we need to know what is important for our service delivery and what is not.

    Business service

    That brings us to the core subject of what needs to be resilient. The answer is very short and very complex at the same time. It is the service that you offer to your customers which must meet reliance levels.

    Take the example of a hospital. When there is a power outage, the most critical systems must continue operating for a given period. That also means that sufficient capable staff must be present to operate said equipment; it even means that the paths leading to said hospital should remain available; if not by road, then, e.g., by helicopter. If these inroads are unavailable, an alternate hospital should be able to take on the workload. 

    Not everything here in this example is the responsibility of the hospital administrators! This is why the management and governance parts of the resilience ecosystem are so important in the bigger picture. 

    If we look at the financial sector, the EU DORA (Digital Operational Resilience Act) specifically states that you must start with your business services. Like many others, the financial sector can no longer function without its digital landscape. If a bank is unexpectedly disconnected from its payment network, especially SWIFT, it will not be long before there are existential issues. A trading department stands to lose millions if the trading system fails. 

    Look in your own environment; you will see many such points. What if your internet connection goes down, and you rely on it for most of your business? How long can you afford to be out? How long before your clients notice and take action? Do you supply a small but critical service to an institution? Then, you may fall under the aforementioned laws (it's called third-party requirements, and your client may be liable to follow them.)

    But also, outside of the technology, we see points in the supply chain that require resilience. Do you still rely on a single person or provider for a critical function? Do you have backup procedures if the tech stops working, yet your clients require you to continue to service them? 

    In all these and other cases, you must know what your critical services are so that you can analyze the requirements and put the right measures in place.

    Once you have defined your critical business services and have analyzed their operational requirements, you can start to look at what you need to implement the aforementioned areas of availability, monitoring, hardening, and others. Remember we're still at the level of business service. The tech comes later and will require a deeper analysis. 

    In conclusion.

    Resilient operations ensure that you continue to function, at the right price, in the face of adverse events. If you can, resilience starts at the business level from the moment of product conception. If the products have long been developed, look at how they are delivered to the client and upgrade operations, resources, and tech where needed.

    In some cases, you are legally required to undertake this exercise. But in all cases, it is important that you understand your business services and the needs of your clients and put sufficient resources in the right places of your delivery chain. 

    If you want to discuss this further, please contact me for a free talk.

     

    IT Operations

    Integrate Portfolios to Create Exceptional Customer Value

    • Buy Link or Shortcode: {j2store}176|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Through growth, both organic and acquisition, you have a significant footprint of projects and applications.
    • Projects and applications have little in common with one another, all with their own history and pedigree.
    • You need to look across your portfolio of applications and projects to see if they will collectively help the organization achieve its goals.

    Our Advice

    Critical Insight

    • Stakeholders don’t care about the minutia and activities involved in project and application portfolio management.
    • Timely delivery of effective and important applications that deliver value throughout their life are the most important factors driving business satisfaction with IT.

    Impact and Result

    • Define an organizing principle that will structure your projects and applications in a way that matters to your stakeholders.
    • Bridge application and project portfolio data using the organizing principle that matters to communicate with stakeholders across the organization.
    • Create a dashboard that brings together the benefits of both project and application portfolio management to improve visibility and decision making.

    Integrate Portfolios to Create Exceptional Customer Value Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should integrate your application and project portfolios, review Info-Tech’s methodology, and understand the three ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define the principle that organizes your portfolios, objectives, and stakeholders

    To bring your portfolios together, you need to start with learning about your objectives, principles, and stakeholders.

    • Integrate Portfolios to Create Exceptional Customer Value – Phase 1: Define the Principle That Organizes Your Portfolios, Objectives, and Stakeholders
    • Integrated Portfolio Dashboard Tool
    • Integrated Portfolio Dashboard Tool – Example

    2. Take stock of what brings you closer to your goals

    Get a deeper understanding of what makes up your organizing principle before learning about your applications and projects that are aligned with your principles.

    • Integrate Portfolios to Create Exceptional Customer Value – Phase 2: Take Stock of What Brings You Closer to Your Goals

    3. Bring it all together

    Bound by your organizing principles, bring your projects and applications together under a single dashboard. Once defined, determine the rollout and communication plan that suits your organization.

    • Integrate Portfolios to Create Exceptional Customer Value – Phase 3: Bring It All Together
    • Integrated Portfolio Communication and Roadmap Plan
    • Integrated Portfolio Communication and Roadmap Plan Example
    [infographic]

    Workshop: Integrate Portfolios to Create Exceptional Customer Value

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Looking at Your Principles

    The Purpose

    Determine your organizational objectives and organizing principle.

    Key Benefits Achieved

    A clear understanding of where you need to go as an organization.

    A clear way to enable all parts of your portfolio to come together.

    Activities

    1.1 Determine your organization’s objectives.

    1.2 Determine your key stakeholders.

    1.3 Define your organizing principle.

    1.4 Decompose your organizing principle into its core components.

    Outputs

    Determined organizing principle for your applications and projects

    2 Understanding Your Applications

    The Purpose

    Get a clear view of the applications that contribute to your organization’s objectives.

    Key Benefits Achieved

    A key element of IT value delivery is its applications. Gaining awareness allows you to evaluate if the right value is being provided.

    Activities

    2.1 Determine your complete list of applications.

    2.2 Determine the health of your applications.

    2.3 Link your applications to the organization’s core components.

    Outputs

    List of applications

    Application list with health statistics filled in

    List of applications with health metrics bound to the organization’s core components

    3 Understanding Your Projects

    The Purpose

    Get a clear view of your project portfolio and how it relates to your applications and their organizing principle.

    Key Benefits Achieved

    An understanding of your project portfolio.

    Activities

    3.1 List all in-flight projects and vital health statistics.

    3.2 Map out the key programs and projects in your portfolio to the application’s core components.

    Outputs

    List of projects

    List of projects mapped to applications they impact

    4 Rolling Out the New Dashboard

    The Purpose

    Bring together your application and project portfolios in a new, easy-to-use dashboard with a full rollout plan.

    Key Benefits Achieved

    Dashboard available for use

    Roadmap and communication plan to make dashboard implementable and tangible

    Activities

    4.1 Test the dashboard.

    4.2 Define your refresh cadence.

    4.3 Plan your implementation.

    4.4 Develop your communication plan.

    Outputs

    Validated dashboards

    Leverage Agile Goal Setting for Improved Employee Engagement & Performance

    • Buy Link or Shortcode: {j2store}593|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Manage & Coach
    • Parent Category Link: /manage-coach
    • Managers are responsible for driving the best performance out of their staff while still developing individuals professionally.
    • Micromanaging tasks is an ineffective, inefficient way to get things done and keep employees engaged at the same time.
    • Both managers and employees view goal setting as a cumbersome process that never materializes in day-to-day work.
    • Without a consistent and agile goal-setting environment that pervades every day, managers risk low productivity and disengaged employees.

    Our Advice

    Critical Insight

    • Effective performance management occurs throughout the year, on a daily and weekly basis, not just at annual performance review time. Managers must embrace this reality and get into the habit of setting agile short-term goals to drive productivity.
    • Employee empowerment is one of the most significant contributors to employee engagement, which is a proven performance driver. Short-term goal setting, which is ultimately employee-owned, develops and nurtures a strong sense of employee empowerment.
    • Micromanaging employee tasks will get managers nowhere quickly. Putting in the effort to collaboratively define goals that benefit both the organization and the employee will pay off in the long run.
    • Goal setting should not be a cumbersome activity, but an agile, rolling habit that ensures employees are focused, supported, and given appropriate feedback to continue to drive performance.

    Impact and Result

    • Managers who have daily meetings to set goals are 17% more successful in terms of employee performance than managers who set goals annually.
    • Managers must be agile goal-setting role models, or risk over a third of their staff being confused about productivity expectations.
    • Managers that allow tracking of goals to be an inhibitor to goal setting are most likely to have a negative effect on employee performance success. In fact, tracking goals should not be a priority in the short-term.

    Leverage Agile Goal Setting for Improved Employee Engagement & Performance Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Learn the agile, short-term goal-setting process

    Implement agile goal setting with your team right away and drive performance.

    • Storyboard: Leverage Agile Goal Setting for Improved Employee Engagement & Performance
    [infographic]

    Create an Architecture for AI

    • Buy Link or Shortcode: {j2store}344|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $604,999 Average $ Saved
    • member rating average days saved: 49 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management

    This research is designed to help organizations who are facing these challenges:

    • Deliver on the AI promise within the organization.
    • Prioritize the demand for AI projects and govern the projects to prevent overloading resources.
    • Have sufficient data management capability.
    • Have clear metrics in place to measure progress and for decision making.

    AI requires a high level of maturity in all data management capabilities, and the greatest challenge the CIO or CDO faces is to mature these capabilities sufficiently to ensure AI success.

    Our Advice

    Critical Insight

    • Build your target state architecture from predefined best-practice building blocks.
    • Not all business use cases require AI to increase business capabilities.
    • Not all organizations are ready to embark on the AI journey.
    • Knowing the AI pattern that you will use will simplify architecture considerations.

    Impact and Result

    • This blueprint will assist organizations with the assessment, planning, building, and rollout of their AI initiatives.
      • Do not embark on an AI project with an immature data management practice. Embark on initiatives to fix problems before they cripple your AI projects.
      • Using architecture building blocks will speed up the architecture decision phase.
    • The success rate of AI initiatives is tightly coupled with data management capabilities and a sound architecture.

    Create an Architecture for AI Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to understand why you need an underlying architecture for AI, review Info-Tech's methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess business use cases for AI readiness

    Define business use cases where AI may bring value. Evaluate each use case to determine the company’s AI maturity in people, tools, and operations for delivering the correct data, model development, model deployment, and the management of models in the operational areas.

    • Create an Architecture for AI – Phase 1: Assess Business Use Cases for AI Readiness
    • AI Architecture Assessment and Project Planning Tool
    • AI Architecture Assessment and Project Planning Tool – Sample

    2. Design your target state

    Develop a target state architecture to allow the organization to effectively deliver in the promise of AI using architecture building blocks.

    • Create an Architecture for AI – Phase 2: Design Your Target State
    • AI Architecture Templates

    3. Define the AI architecture roadmap

    Compare current state with the target state to define architecture plateaus and build a delivery roadmap.

    • Create an Architecture for AI – Phase 3: Define the AI Architecture Roadmap
    [infographic]

    Workshop: Create an Architecture for AI

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Answer “Where To?”

    The Purpose

    Define business use cases where AI may add value and assess use case readiness.

    Key Benefits Achieved

    Know upfront if all required data resources are available in the required velocity, veracity, and variety to service the use case.

    Activities

    1.1 Review the business vision.

    1.2 Identify and classify business use cases.

    1.3 Assess company readiness for each use case.

    1.4 Review architectural principles and download and install Archi.

    Outputs

    List of identified AI use cases

    Assessment of each use case

    Data sources needed for each use case

    Archi installed

    2 Define the Required Architecture Building Blocks

    The Purpose

    Define architecture building blocks that can be used across use cases and data pipeline.

    Key Benefits Achieved

    The architectural building blocks ensure reuse of resources and form the foundation of a stepwise rollout.

    Activities

    2.1 ArchiMate modelling language overview.

    2.2 Architecture building block overview

    2.3 Identify architecture building blocks by use case.

    2.4 Define the target state architecture.

    Outputs

    A set of building blocks created in Archi

    Defined target state architecture using architecture building blocks

    3 Assess the Current State Architecture

    The Purpose

    Assess your current state architecture in the areas identified by the target state.

    Key Benefits Achieved

    Only evaluating the current state architecture that will influence your AI implementation.

    Activities

    3.1 Identify the current state capabilities as required by the target state.

    3.2 Assess your current state architecture.

    3.3 Define a roadmap and design implementation plateaus.

    Outputs

    Current state architecture documented in Archi

    Assessed current state using assessment tool

    A roadmap defined using plateaus as milestones

    4 Bridge the Gap and Create the Roadmap

    The Purpose

    Assess your current state against the target state and create a plan to bridge the gaps.

    Key Benefits Achieved

    Develop a roadmap that will deliver immediate results and ensure long-term durability.

    Activities

    4.1 Assess the gaps between current- and target-state capabilities.

    4.2 Brainstorm initiatives to address the gaps in capabilities

    4.3 Define architecture delivery plateaus.

    4.4 Define a roadmap with milestones.

    4.5 Sponsor check-in.

    Outputs

    Current to target state gap assessment

    Architecture roadmap divided into plateaus

    Manage Exponential Value Relationships

    • Buy Link or Shortcode: {j2store}210|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    Implementing exponential IT will require businesses to work with external vendors to facilitate the rapid adoption of cutting-edge technologies such as generative artificial intelligence. IT leaders must:

    These challenges require new skills which build trust and collaboration among vendors.

    Our Advice

    Critical Insight

    Outcome-based relationships require a higher degree of trust than traditional vendor relationships. Build trust by sharing risks and rewards.

    Impact and Result

    • Assess your readiness to take on the new types of vendor relationships that will help you succeed.
    • Identify where you need to build your capabilities in order to successfully manage relationships.
    • Successfully manage outcomes, financials, risk, and relationships in complex vendor relationships.

    Manage Exponential Value Relationships Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Manage Exponential Value Relationships Storyboard – Learn about the new era of exponential vendor relationships and the capabilities needed to succeed.

    This research walks you through how to assess your capabilities to undertake a new model of vendor relationships and drive exponential IT.

    • Manage Exponential Value Relationships Storyboard

    2. Exponential Relationships Readiness Assessment – Assess your readiness to engage in exponential vendor partnerships.

    This tool will facilitate your readiness assessment.

    • Exponential Relationships Readiness Assessment
    [infographic]

    Further reading

    Manage Exponential Value Relationships

    Are you ready to manage outcome-based agreements?

    Analyst Perspective

    Outcome-based agreements require a higher degree of mutual trust.

    Kim Osborne Rodriguez

    Exponential IT brings with it an exciting new world of cutting-edge technology and increasingly accelerated growth of business and IT. But adopting and driving change through this paradigm requires new capabilities to grow impactful and meaningful partnerships with external vendors who can help implement technologies like artificial intelligence and virtual reality.

    Building outcome-based partnerships involves working very closely with vendors who, in many cases, will have just as much to lose as the organizations implementing these new technologies. This requires a greater degree of trust between parties than a standard vendor relationship. It also drastically increases the risks to both organizations; as each loses some control over data and outcomes, they must trust that the other organization will follow through on commitments and obligations.

    Outcome-based partnerships build upon traditional vendor management practices and create the potential for organizations to embrace emerging technology in new ways.

    Kim Osborne Rodriguez
    Research Director, CIO Advisory
    Info-Tech Research Group

    Executive Summary

    Exponential IT drives change

    Vendor relationships must evolve

    To deliver exponential value

    Implementing exponential IT will require businesses to work with external vendors to facilitate the rapid adoption of cutting-edge technologies such as generative artificial intelligence. IT leaders must:

    • Build strategic relationships with external entities to support the autonomization of the enterprise.
    • Procure, operate, and manage contracts and performance in outcome-based relationships.
    • Build relationships with new vendors.

    These challenges require new skills which build trust and collaboration with vendors.

    Traditional vendor management approaches are still important for organizations to develop and maintain. But exponential relationships bring new challenges:

    • A shift from managing technology service agreements to managing business capability agreements
    • Increased vendor access to intellectual property, confidential information, and customers

    IT leaders must adapt traditional vendor management capabilities to successfully lead this change.

    Outcome-based relationships should not be undertaken lightly as they can significantly impact the risk profile of the organization. Use this research to:

    • Assess your foundational vendor management capabilities as well as the transformative capabilities you need to manage outcome-based relationships.
    • Identify where you need to build your capabilities in order to successfully manage relationships.
    • Successfully manage outcomes, financials, risk, and relationships in complex vendor partnerships.

    Exponential value relationships will help drive exponential IT and autonomization of the enterprise.

    Info-Tech Insight

    Outcome-based partnerships require a higher degree of trust than traditional vendor relationships. Build trust by sharing risks and rewards.

    Vendor relationships can be worth billions of dollars

    Positive vendor relationships directly impact the bottom line, sometimes to the tune of billions of dollars annually.

    • Organizations typically spend 40% to 80% of their total budget on external suppliers.
    • Greater supplier trust translates directly to greater business profits, even in traditional vendor relationships.1
    • Based on over a decade of data from vehicle manufacturers, greater supplier relationships nearly doubled the unit profit margin on vehicles, contributing over $20 billion to Toyota’s annual profits based on typical sales volume.2
    • Having positive vendor relationships can be instrumental in times of crisis – when scarcity looms, vendors often choose to support their best customers.3,4 For example, Toyota protected itself from the losses many original equipment manufacturers (OEMs) faced in 2020 and showed improved profitability that year due to increased demand for vehicles which it was able to supply as a result of top-ranked vendor relationships.
    1 PR Newswire, 2022.
    2 Based on 10 years of data comparing Toyota and Nissan, every 1-point increase in the company’s Working Relations Index was correlated with a $15.77 net profit increase per unit. Impact on Toyota annual profits is based on 10.5 million units sold in 2021 and 2022.
    3 Interview with Renee Stanley, University of Texas at Arlington. Conducted 17 May 2023.
    4 Plante Moran, 2020.

    Supplier Trust Impacts OEM Profitability

    Sources: Macrotrends, Plante Moran 2022, Nissan 2022 and 2023, and Toyota 2022. Profit per car is based on total annual profit divided by total annual sales volume.

    Outcome-based relationships are a new paradigm

    In a new model where organizations are procuring autonomous capabilities, outcomes will govern vendor relationships.

    An outcome-based relationship requires a higher level of mutual trust than traditional vendor relationships. This requires shared reward and shared risk.

    Don’t forget about traditional vendor management relationships! Not all vendor relationships can (or should) be outcome-based.

    Managing Exponential Value Relationships.

    Case study

    INDUSTRY: Technology

    SOURCE: Press Release

    Microsoft and OpenAI partner on Azure, Teams, and Microsoft Office suite

    In January 2023, Microsoft announced a $10 billion investment in OpenAI, allowing OpenAI to continue scaling its flagship large language model, ChatGPT, and giving Microsoft first access to deploy OpenAI’s products in services like GitHub, Microsoft Office, and Microsoft Teams.

    Shared risk

    Issues with OpenAI’s platforms could have a debilitating effect on Microsoft’s own reputation – much like Google’s $100 billion stock loss following a blunder by its AI platform Bard – not to mention the financial loss if the platform does not live up to the hype.

    Shared reward

    This was a particularly important strategic move by Microsoft, as its main competitors develop their own AI models in a race to the top. This investment also gave OpenAI the resources to continue scaling and evolving its services much faster than it would be capable of on its own. If OpenAI’s products succeed, there is a significant upside for both companies.

    The image contains a graph that demonstrates time to reach 1 million users.

    Adapt your approach to vendor relationships

    Both traditional vendors and exponential relationships are important.

    Traditional

    procurement

    Vendor

    management

    Exponential vendor relationships

    • Ideal for procuring a product or service
    • Typically evaluates vendors based on their capabilities and track record of success
    • Focuses on metrics, KPIs, and contracts to deliver success to the organization purchasing the product or service
    • Vendors typically only have access to company data showing what is required to deliver their product or service
    • Ideal for managing vendors supplying products or services
    • Typically evaluates vendors based on the value and the criticality of a vendor to drive VM-resource allocation
    • External vendors do not generally participate in sharing of risks or rewards outside of payment for services or incentives/penalties
    • Vendors typically have limited access to company data
    • Ideal for procuring an autonomous capability
    • Typically evaluated based on the total possible value creation for both parties
    • External vendors share in substantial portions of the risks and rewards of the relationship
    • Vendors typically have significant access to company data, including proprietary methods, intellectual property, and customer lists

    Use this research to successfully
    manage outcome-based relationships.

    Use Info-Tech’s research to Jump Start Your Vendor Management Initiative.

    Common obstacles

    Exponential relationships require new approaches to vendor management as businesses autonomize:

    • Autonomization refers to the shift toward autonomous business capabilities which leverage technologies such as AI and quantum computing to operate independently of human interaction.
    • The speed and complexity of technology advancement requires that businesses move quickly and confidently to develop strong relationships and deliver value.
    • We are seeing businesses shift from procuring products and services to procuring autonomous business capabilities (sometimes called “as a service,” or aaS). This shift can drive exponential value but also increases complexity and risk.
    • Exponential IT requires a shift in emphasis toward more mature relationship and risk management strategies, compared to traditional vendor management.

    The shift from technology service agreements to business capability agreements needs a new approach

    Eighty-seven percent of organizations are currently experiencing talent shortages or expect to within a few years.

    Source: McKinsey, “Mind the [skills] gap”, 2021.

    Sixty-three percent of IT leaders plan to implement AI in their organizations by the end of 2023.

    Source: Info-Tech Research Group survey, 2022

    Insight summary

    Build trust

    Successfully managing exponential relationships requires increased trust and the ability to share both risks and rewards. Outcome-based vendors typically have greater access to intellectual property, customer data, and proprietary methods, which can pose a risk to the organization if this information is used to benefit competitors. Build mutual trust by sharing both risks and rewards.

    Manage risk

    Outcome-based relationships with external vendors can drastically affect an organization’s risk profile. Carefully consider third-party risk and shared risk, including ESG risk, as well as the business risk of losing control over capabilities and assets. Qualified risk specialists (such as legal, regulatory, contract, intellectual property law) should be consulted before entering outcome-based relationships.

    Drive outcomes

    Fostering strategic relationships can be instrumental in times of crisis, when being the customer of choice for key vendors can push your organization up the line from the vendor’s side – but be careful about relying on this too much. Vendor objectives may not align with yours, and in the end, everyone needs to protect themselves.

    Assess your readiness for exponential value relationships

    Key deliverable:

    Exponential Relationships Readiness Assessment

    Determine your readiness to build exponential value relationships.

    Measure the value of this blueprint

    Save thousands of dollars by leveraging this research to assess your readiness, before you lose millions from a relationship gone bad.

    Our research indicates that most organizations would take months to prepare this type of assessment without using our research. That’s over 80 person-hours spent researching and gathering data to support due diligence, for a total cost of thousands of dollars. Doesn’t your staff have better things to do?

    Start by answering a few brief questions, then return to this slide at the end to see how much your answers have changed.

    Establish Baseline Metrics

    Use Info-Tech’s research to Exponential Relationships Readiness Assessment.

    Estimated time commitment without Info-Tech’s research (person-hours)

    Establish a baseline

    Gauge the effectiveness of this research by asking yourself the following questions before and after completing your readiness assessment:

    Questions

    Before

    After

    To what extent are you satisfied with your current vendor management approach?

    How many of your current vendors would you describe as being of strategic importance?

    How much do you spend on vendors annually?

    How much value do you derive from your vendor relationships annually?

    Do you have a vendor management strategy?

    What outcomes are you looking to achieve through your vendor relationships?

    How well do you understand the core capabilities needed to drive successful vendor management?

    How well do you understand your current readiness to engage in outcome-based vendor relationships?

    Do you feel comfortable managing the risks when working with organizations to implement artificial intelligence and other autonomous capabilities?

    How to use this research

    Five tips to get the most out of your readiness assessment.

    1. Each category consists of five competencies, with a maximum of five points each. The maximum score on this assessment is 100 points.
    2. Effectiveness levels range from basic (level 1) to advanced (level 5). Level 1 is generally considered the baseline for most effectively operating organizations. If your organization is struggling with level 1 competencies, it is recommended to improve maturity in those areas before pursuing exponential relationships.
    3. This assessment is qualitative; complete the assessment to the best of your ability, based on the scoring rubric provided. If you fall between levels, use the lower one in your assessment.
    4. The scoring rubric may not perfectly fit the processes and practices within every organization. Consider the spirit of the description and score accordingly.
    5. Other industry- and region-specific competencies may be required to succeed at exponential relationships. The competencies in this assessment are a starting point, and internal validation and assessments should be conducted to uncover additional competencies and skills.

    Financial management

    Manage your budget and spending to stay on track throughout your relationship.

    “Most organizations underestimate the amount of time, money, and skill required to build and maintain a successful relationship with another organization. The investment in exponential relationships is exponential in itself – as are the returns.”

    – Jennifer Perrier, Principal Research Director,
    Info-Tech Research Group

    This step involves the following participants:

    • Executive leadership team, including CIO
    • CFO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage scope and budget in exponential IT relationships.

    Successfully manage complex finances

    Stay on track and keep your relationship running smoothly.

    Why is this important?

    • Finance is at the core of most business – it drives decision making, acts as a constraint for innovation and optimization, and plays a key role in assessing options (such as return on investment or payback period).
    • Effectively managing finances is a critical success factor in developing strong relationships. Each organization must be able to manage their own budget and spending in order to balance the risk and reward in the relationship. Often, these risks and rewards will come in the form of profit and loss or revenue and spend.

    Build it into your practice:

    1. Ensure your financial decision-making practices are aligned with the organizational and relationship strategy. Do metrics and criteria reflect the organization’s goals?
    2. Develop strong accounting and financial analysis practices – this includes the ability to conduct financial due diligence on potential vendors.
    3. Develop consistent methodology to track and report on the desired outcomes on a regular basis.

    Build your ability to manage finances

    The five competencies needed to manage finances in exponential value relationships are:

    Budget procedures

    Financial alignment

    Adaptability

    Financial analysis

    Reporting & compliance

    Clearly articulate and communicate budgets, with proactive analysis and reporting.

    There is a strong, direct alignment between financial outcomes and organizational strategy and goals.

    Financial structures can manage many different types of relationships and structures without major overhaul.

    Proactive financial analysis is conducted regularly, with actionable insights.

    This exceeds legal requirements and includes proactive and actionable reporting.

    Relationship management

    Drive exponential value by becoming a customer of choice.

    “The more complex the business environment becomes — for instance, as new technologies emerge or as innovation cycles get faster — the more such relationships make sense. And the better companies get at managing individual relationships, the more likely it is that they will become “partners of choice” and be able to build entire portfolios of practical and value-creating partnerships.”

    (“Improving the management of complex business partnerships.” McKinsey, 2019)

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage relationships in exponential IT relationships.

    Take your relationships to the next level

    Maintaining positive relationships is key to building trust.

    Why is this important?

    • All relationships will experience challenges, and the ability to resolve these issues will rely heavily on the relationship management skills and soft skills of the leadership within each organization.
    • Based on a 20-year study of vendor relationships in the automotive sector, business-to-business trust is a function of reasonable demands, follow-through, and information sharing.
    (Source: Plante Moran, 2020)

    Build it into your practice:

    1. Develop the soft skills necessary to promote psychological safety, growth mindset, and strong and open communication channels.
    2. Be smart about sharing information – you don’t need to share everything, but being open about relevant information will enhance trust.
    3. Both parties need to work hard to develop trust necessary to build a true relationship. This will require increased access to decision-makers, clearly defined guardrails, and the ability for unsatisfied parties to leave.

    Build your ability to manage relationships

    The five competencies needed to manage relationships in exponential partnerships are:

    Strategic alignment

    Follow-through

    Information sharing

    Shared risk & rewards

    Communication

    Work with vendors to create roadmaps and strategies to drive mutual success.

    Ensure demands are reasonable and consistently follow through on commitments.

    Proactively and freely share relevant information between parties.

    Equitably share responsibility for outcomes and benefits from success.

    Ensure clear, proactive, and frequent communication occurs between parties.

    Performance management

    Outcomes management focuses on results, not methods.

    According to Jennifer Robinson, senior editor at Gallup, “This approach focuses people and teams on a concrete result, not the process required to achieve it. Leaders define outcomes and, along with managers, set parameters and guidelines. Employees, then, have a high degree of autonomy to use their own unique talents to reach goals their own way.” (Forbes, 2023)

    In the context of exponential relationships, vendors can be given a high degree of autonomy provided they meet their objectives.

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage outcomes in exponential IT relationships.

    Manage outcomes to drive mutual success

    Build trust by achieving shared objectives.

    Why is this important?

    • Relationships are based on shared risk and shared reward for all parties. In order to effectively communicate the shared rewards, you must first understand and communicate your objectives for the relationship, then measure outcomes to ensure all parties are benefiting.
    • Effectively managing outcomes reduces the risk that one party will choose to leave based on a perception of benefits not being achieved. Parties may still leave the agreement, but decisions should be based on shared facts and issues should be communicated and addressed early.

    Build it into your practice:

    1. Clearly articulate what you hope to achieve by entering an outcome-based relationship. Each party should outline and agree to the goals, objectives, and desired outcomes from the relationship.
    2. Document how rewards will be shared among parties. What type of rewards are anticipated? Who will benefit and how?
    3. Develop consistent methodology to track and report on the desired outcomes on a regular basis. This might consist of a vendor scorecard or a monthly meeting.

    Build your ability to manage outcomes

    The five competencies needed to manage outcomes in exponential value relationships are:

    Goal setting

    Negotiation

    Performance tracking

    Issue
    resolution

    Scope management

    Set specific, measurable and actionable goals, and communicate them with stakeholders.

    Clearly articulate and agree upon measurable outcomes between all parties.

    Proactively track progress toward goals/outcomes and discuss results with vendors regularly.

    Openly discuss potential issues and challenges on a regular basis. Find collaborative solutions to problems.

    Proactively manage scope and discuss with vendors on a regular basis.

    Risk management

    Exponential IT means exponential risk – and exponential rewards.

    One of the key differentiators between traditional vendor relationships and exponential relationships is the degree to which risk is shared between parties. This is not possible in all industries, which may limit companies’ ability to participate in this type of exponential relationship.

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Risk management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage risk in exponential IT relationships.

    Relationships come with a lot of hidden risks

    Successfully managing complex risks can be the difference between a spectacular success and company-ending failure.

    Why is this important?

    • Relationships inherently involve a loss of control. You are relying on another party to fulfill their part of the agreement, and you depend on the success of the outcome. Loss of control comes with significant risks.
    • Sharing in risk is what differentiates an outcome-based relationship from a traditional vendor relationship; vendors must have skin in the game.
    • Organizations must consider many different types of risk when considering a relationship with a vendor: fraud, security, human rights, labor relations, ESG, and operational risks. Remember that risk is not inherently bad; some risk is necessary.

    Build it into your practice:

    1. Build or hire the necessary risk expertise needed to properly assess and evaluate the risks of potential vendor relationships. This includes intellectual property, ESG, legal/regulatory, cybersecurity, data security, and more.
    2. Develop processes and procedures which clearly communicate and report on risk on a regular basis.

    Info-Tech Insight

    Some highly regulated industries (such as finance) are prevented from transferring certain types of risk. In these industries, it may be much more difficult to form vendor relationships.

    Don’t forget about third-party ESG risk

    Customers care about ESG. You should too.

    Protect yourself against third-party ESG risks by considering the environmental and social impacts of your vendors.

    Third-party ESG risks can include the following:

    • Environmental risk: Vendors with unsustainable practices such as carbon emissions or waste generation of natural resource depletion can negatively impact the organization’s environmental goals.
    • Social risk: Unsafe or illegal labor practices, human rights violations, and supply chain management issues can reflect negatively on organizations that choose to work with vendors who engage in such practices.
    • Governance risk: Vendors who engage in illegal or unethical behaviors, including bribery and corruption or data and privacy breaches can impact downstream customers.

    Working with vendors that have a poor record of ESG carries a very real reputational risk for organizations who do not undertake appropriate due diligence.

    A global survey of nearly 14,000 customers revealed that…

    Source: EY Future Consumer Index, 2021

    Seventy-seven percent of customers believe companies have a responsibility to manufacture sustainably.

    Sixty-eight percent of customers believe businesses should ensure their suppliers meet high social and environmental standards.

    Fifty-five percent of customers consider the environmental impact of production in their purchasing decisions.

    Build your ability to manage risk

    The five competencies needed to manage risk in exponential value relationships are:

    Third-party risk

    Value chain

    Data management

    Regulatory & compliance

    Monitoring & reporting

    Understand and assess third-party risk, including ESG risk, in potential relationships.

    Assess risk throughout the value chain for all parties and balance risk among parties.

    Proactively assess and manage potential data risks, including intellectual property and strategic data.

    Manage regulatory and compliance risks, including understanding risk transfer and ultimate risk holder.

    Proactive and open monitoring and reporting of risks, including regular communication among stakeholders.

    Contract management

    Contract management is a critical part of vendor management.

    Well-managed contracts include clearly defined pricing, performance-based outcomes, clear roles and responsibilities, and appropriate remedies for failure to meet requirements. In outcome-based relationships, contracts are generally used as a secondary method of enforcing performance, with relationship management being the primary method of addressing challenges and ensuring performance.

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Risk management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage risk in exponential IT relationships.

    Build your ability to manage contracts

    The five competencies needed to manage contracts in exponential value relationships are:

    Pricing

    Performance outcomes

    Roles and responsibilities

    Remedies

    Payment

    Pricing is clearly defined in contracts so that the total cost is understood including all fees, optional pricing, and set caps on increases.

    Contracts are performance-based whenever possible, including deliverables, milestones, service levels, due dates, and outcomes.

    Each party's roles and responsibilities are clearly defined in the contract documents with adequate detail.

    Contracts contain appropriate remedies for a vendor's failure to meet SLAs, due dates, and other obligations.

    Payment is made after performance targets are met, approved, or accepted.

    Activity 1: Assess your readiness for exponential relationships

    1-3 hours

    1. Gather key stakeholders from across your organization to participate in the readiness assessment exercise.
    2. As a group, review the core competencies from the previous four sections and determine where your organization’s effectiveness lies for each competency. Record your responses in the Exponential Relationships Readiness Assessment tool.

    Download the Exponential Relationships Readiness Assessment tool.

    Input Output
    • Core competencies
    • Knowledge of internal processes and capabilities
    • Readiness assessment
    Materials Participants
    • Exponential
      Relationships Readiness Assessment
      tool
    • Whiteboard/flip charts
    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Understand your assessment

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Create an action plan.

    Understand the results of your assessment

    Consider the following recommendations based on your readiness assessment scores:

    • The chart to the right shows sample results. The bars indicate the recommended scores, and the line indicates the readiness score.
    • Three or more categories below the recommended scores, or any categories more than five points below the recommendation: outcome-based relationships are not recommended at this time.
    • Two or more categories below the recommended scores: Proceed with caution and limit outcome-based relationships to low-risk areas. Continue to mature capabilities.
    • One category below the recommended scores: Evaluate the risks and benefits before engaging in higher-risk vendor relationships. Continue to mature capabilities.
    • All categories at or above the recommended scores: You have many of the core capabilities needed to succeed at exponential relationships! Continue to evaluate and refine your vendor relationships strategy, and identify any additional competencies needed based on your industry or region.

    Acme Corp Exponential Relationships Readiness.

    Activity 2: Create an action plan

    1 hour

    1. Gather the stakeholders who participated in the readiness assessment exercise.
    2. As a group, review the results of the readiness assessment. Where there any surprise? Do the results reflect your understanding of the organization’s maturity?
    3. Determine which areas are likely to limit the organization’s relationship capability, based on lowest scoring areas and relative importance to the organization.
    4. Break out into groups and have each group identify three actions the organization could take to mature the lowest scoring areas.
    5. Bring the group back together and prioritize the actions. Note who will be accountable for each next step.
    InputOutput
    • Readiness assessment
    • Action plan to improve maturity of capabilities
    MaterialsParticipants
    • Exponential
      Relationship Readiness Assessment
      tool
    • Whiteboard/flip charts
    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Related Info-Tech Research

    Jump Start Your Vendor Management Initiative
    Create and implement a vendor management framework to begin obtaining measurable results in 90 days.

    Elevate Your Vendor Management Initiative
    Transform your VMI from tactical to strategic to maximize its impact and value

    Evaluate Your Vendor Account Team to Optimize Vendor Relations
    Understand the value of knowing your account team’s influence in the organization, and your influence, to drive results.

    Related Info-Tech Research

    Build an IT Risk Management Program
    Mitigate the IT risks that could negatively impact your organization.

    Build an IT Budget
    Effective IT budgets are more than a spreadsheet. They tell a story.

    Adopt an Exponential IT Mindset
    Thrive through the next paradigm shift..

    Author

    Kim Osborne Rodriguez

    Kim Osborne Rodriguez
    Research Director, CIO Advisory
    Info-Tech Research Group

    Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach, with a track record of supporting successful projects.

    Kim holds a Bachelor’s degree in Honours Mechatronics Engineering and an option in Management Sciences from the University of Waterloo.

    Research Contributors and Experts

    Jack Hakimian

    Jack Hakimian
    Senior Vice President
    Info-Tech Research Group

    Jack has more than 25 years of technology and management consulting experience. He has served multibillion-dollar organizations in multiple industries including financial services and telecommunications. Jack also served several large public sector institutions.

    He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master’s degree in Computer Engineering as well as an MBA from the ESCP-EAP European School of Management.

    Michael Tweedie

    Michael Tweedie
    Practice Lead, CIO Strategy
    Info-Tech Research Group

    Mike Tweedie brings over 25 years as a technology executive. He’s led several large transformation projects across core infrastructure, application and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management.

    Mike holds a Bachelor’s degree in Architecture from Ryerson University.

    Scott Bickley

    Scott Bickley
    Practice Lead, VCCO
    Info-Tech Research Group

    Scott Bickley is a Practice Lead & Principal Research Director at Info-Tech Research Group, focused on Vendor Management and Contract Review. He also has experience in the areas of IT Asset Management (ITAM), Software Asset Management (SAM), and technology procurement along with a deep background in operations, engineering, and quality systems management.

    Scott holds a B.S. in Justice Studies from Frostburg State University. He also holds active IAITAM certification designations of CSAM and CMAM and is a Certified Scrum Master (SCM).

    Donna Bales

    Donna Bales
    Principal Research Director
    Info-Tech Research Group

    Donna Bales is a Principal Research Director in the CIO Practice at Info-Tech Research Group, specializing in research and advisory services in IT risk, governance, and compliance. She brings over 25 years of experience in strategic consulting and product development and has a history of success in leading complex, multistakeholder industry initiatives.

    Donna has a bachelor’s degree in economics from the University of Western Ontario.

    Research Contributors and Experts

    Jennifer Perrier

    Jennifer Perrier
    Principal Research Director
    Info-Tech Research Group

    Jennifer has 25 years of experience in the information technology and human resources research space, joining Info-Tech in 1998 as the first research analyst with the company. Over the years, she has served as a research analyst and research manager, as well as in a range of roles leading the development and delivery of offerings across Info-Tech’s product and service portfolio, including workshops and the launch of industry roundtables and benchmarking. She was also Research Lead for McLean & Company, the HR advisory division of Info-Tech, during its start-up years.

    Jennifer’s research expertise spans the areas of IT strategic planning, governance, policy and process management, people management, leadership, organizational change management, performance benchmarking, and cross-industry IT comparative analysis. She has produced and overseen the development of hundreds of publications across the full breadth of both the IT and HR domains in multiple industries. In 2022, Jennifer joined Info-Tech’s IT Financial Management Practice with a focus on developing financial transparency to foster meaningful dialogue between IT and its stakeholders and drive better technology investment decisions.

    Phil Bode

    Phil Bode
    Principal Research Director
    Info-Tech Research Group

    Phil has 30+ years of experience with IT procurement-related topics: contract drafting and review, negotiations, RFXs, procurement processes, and vendor management. Phil has been a frequent speaker at conferences, a contributor to magazine articles in CIO Magazine and ComputerWorld, and quoted in many other magazines. He is a co-author of the book The Art of Creating a Quality RFP.

    Phil has a Bachelor of Science in Business Administration with a double major of Finance and Entrepreneurship and a Bachelor of Science in Business Administration with a major of Accounting, both from the University of Arizona.

    Research Contributors

    Erin Morgan

    Erin Morgan
    Assistant Vice President, IT Administration
    University of Texas at Arlington

    Renee Stanley

    Renee Stanley
    Assistant Director IT Procurement and Vendor Management
    University of Texas at Arlington

    Note: Additional contributors did not wish to be identified.

    Bibliography

    Andrea, Dave. “Plante Moran’s 2022 Working Relations Index® (WRI) Study shows supplier relations can improve amid industry crisis.” Plante Moran, 25 Aug 2022. Accessed 18 May 2023.
    Andrea, Dave. “Trust between suppliers and OEMs can better prepare you for the next crisis.” Plante Moran, 9 Sept 2020. Accessed 17 May 2023.
    Cleary, Shannon, and Carolan McLarney. “Organizational Benefits of an Effective Vendor Management Strategy.” IUP Journal of Supply Chain Management, Vol. 16, Issue 4, Dec 2019.
    De Backer, Ruth, and Eileen Kelly Rinaudo. “Improving the management of complex business partnerships.” McKinsey, 21 March 2019. Accessed 9 May 2023 .
    Dennean, Kevin et al. “Let's chat about ChatGPT.” UBS, 22 Feb 2023. Accessed 26 May 2023.
    F&I Tools. “Nissan Worldwide Vehicle Sales Report.” Factory Warranty List, 2022. Accessed 18 May 2023.
    Gomez, Robin. “Adopting ChatGPT and Generative AI in Retail Customer Service.” Radial, 235, April 2023. Accessed 10 May 2023.
    Harms, Thomas and Kristina Rogers. “How collaboration can drive value for you, your partners and the planet.” EY, 26 Oct 2021. Accessed 10 May 2023.
    Hedge & Co. “Toyota, Honda finish 1-2; General Motors finishes at 3rd in annual Supplier Working Relations Study.” PR Newswire, 23 May 2022. Accessed 17 May 2023.
    Henke Jr, John W., and T. Thomas. "Lost supplier trust, lost profits." Supply Chain Management Review, May 2014. Accessed 17 May 2023.
    Information Services Group, Inc. “Global Demand for IT and Business Services Continues Upward Surge in Q2, ISG Index™ Finds.” BusinessWire, 7 July 2021. Accessed 8 May 2023.
    Kasanoff, Bruce. “New Study Reveals Costs Of Bad Supplier Relationships.” Forbes, 6 Aug 2014. Accessed 17 May 2023.
    Macrotrends. “Nissan Motor Gross Profit 2010-2022.” Macrotrends. Accessed 18 May 2023.
    Macrotrends. “Toyota Gross Profit 2010-2022.” Macrotrends. Accessed 18 May 2023.
    McKinsey. “Mind the [skills] gap.” McKinsey, 27 Jan 2021. Accessed 18 May 2023.
    Morgan, Blake. “7 Examples of How Digital Transformation Impacted Business Performance.” Forbes, 21 Jul 2019. Accessed 10 May 2023.
    Nissan Motor Corporation. “Nissan reports strong financial results for fiscal year 2022.” Nissan Global Newsroom, 11 May 2023. Accessed 18 May 2023.

    Bibliography

    “OpenAI and Microsoft extend partnership.” Open AI, 23 Jan 2023. Accessed 26 May 2023.
    Pearson, Bryan. “The Apple Of Its Aisles: How Best Buy Lured One Of The Biggest Brands.“ Forbes, 23 Apr 2015. Accessed 23 May 2023.
    Perifanis, Nikolaos-Alexandros and Fotis Kitsios. “Investigating the Influence of Artificial Intelligence on Business Value in the Digital Era of Strategy: A Literature Review.” Information, 2 Feb 2023. Accessed 10 May 2023.
    Scott, Tim and Nathan Spitse. “Third-party risk is becoming a first priority challenge.” Deloitte. Accessed 18 May 2023.
    Stanley, Renee. Interview by Kim Osborne Rodriguez, 17 May 2023.
    Statista. “Toyota's retail vehicle sales from 2017 to 2021.” Statista, 27 Jul 2022. Accessed 18 May 2023.
    Tlili, Ahmed, et al. “What if the devil is my guardian angel: ChatGPT as a case study of using chatbots in education.” Smart Learning Environments, 22 Feb 2023. Accessed 9 May 2023.
    Vitasek, Kate. “Outcome-Based Management: What It Is, Why It Matters And How To Make It Happen.” Forbes, 12 Jan 2023. Accessed 9 May 2023.

    Build an ITSM Tool Implementation Plan

    • Buy Link or Shortcode: {j2store}486|cart{/j2store}
    • member rating overall impact (scale of 10): 7.5/10 Overall Impact
    • member rating average dollars saved: $9,246 Average $ Saved
    • member rating average days saved: 7 Average Days Saved
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Selecting the Wrong Resources: You need ITSM technology and process experts, because this is not just a technology project, but also a process improvement opportunity.
    • Over-Reliance on the Vendor to Optimize Your Tool: Yes, the vendor will typically install and set up the tool, but they will not fix your processes for you.
    • Not Preparing for Data Migration: Data migration is complex. You need to determine what data to migrate, if any, and how that data will be mapped to the new environment.
    • Insufficient IT and End-User Training: A link to the ITSM tool manual is not enough. Staff and users need training on how your processes will be executed in the new tool.

    Our Advice

    Critical Insight

    • Start with the assumption you don’t need to migrate old data.
    • ITSM tools are designed to support ITIL best practices.
    • Implement your new tool in stages to manage scope.

    Impact and Result

    • Ability to plan and scope the project to avoid or reduce last-minute chaos.
    • Opportunity to review and optimize processes as part of the ITSM tool implementation project.
    • Improved project management, and therefore, better cost and effort estimates, by identifying required tasks upfront.

    Build an ITSM Tool Implementation Plan Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build an ITSM Tool Implementation Plan Deck – An implementation guide that walks you through the steps to ensure the tool delivers business value.

    There may be hundreds of parameters to define and decisions to make, so identifying the full list of tasks early is critical for the success of the implementation project.

    • Build an ITSM Tool Implementation Plan – Phases 1-3

    2. ITSM Tool Project Charter Template – A charter to document your project scope, milestones, stakeholders, risks etc. to kick-off and manage your project.

    This project charter document summarizes the Project Overview (Description, background, drivers, and objectives), Governance and Management (Project stakeholders/roles, budget, and dependencies), and Risk, Assumptions, and Constraints (Known and potential risks and mitigation strategy).

    • ITSM Tool Implementation Project Charter Template

    3. ITSM Tool Implementation Checklist – A tool to help identify the most common decisions you will need to make and prepare for your implementation project.

    The checklists in this tool identify the most common decisions and preparation you will need to make to support the implementation for the ITSM modules that we recommend are set up first: incident management and service requests; change management; and asset management. Use these checklists as a model to follow for any additional ITSM modules you plan to implement, and refer to Info-Tech's blueprints for each service management topic for additional guidance.

    • ITSM Tool Implementation Checklist

    4. ITSM Tool Deployment Plan Template – A tool to help prioritize and prepare for tool rollout plan.

    This deployment plan documents the strategy and decisions made for making the transition to the new ITSM tool, and the details to execute the cutover to a live environment, including how, when, where.

    • ITSM Tool Deployment Plan Template

    5. ITSM Tool Training Schedule – Use the tool to create your new tool training roadmap.

    This template is a guide for creating a training and communication plan as part of the implementation project for your ITSM tool. Use the template to document and plan the communications and training needs prior to deployment of the new tool.

    • ITSM Tool Training Schedule

    Infographic

    Further reading

    Build an ITSM Tool Implementation Plan

    Plan ahead with a step-by-step approach to ensure the tool delivers business value.

    EXECUTIVE BRIEF

    Analyst perspective

    Take control of the wheel or you might end up in a ditch.

    The image contains a picture of Frank Trovato.

    An ITSM tool implementation is a complex project with direct impact on IT’s ability to support the business. With that level of risk, you need to take control early on.

    Yes, your vendor will support or execute the technical implementation, but they depend on you to tell them how to configure ITSM parameters and workflows that affect user interface, the ability to manage incidents, and governance over assets and IT changes.

    If you leave the configuration completely to the vendor, at best you might get the same setup as in your old tool (and not realize the benefits that leadership is expecting). At worst you end up with default values that don’t fit your process needs, i.e., confusion and not realizing expected benefits.

    A successful implementation requires early planning from a wide range of resources including ITSM tool experts (supported by the vendor), process experts, and a project manager to methodically step through the hundreds of parameters you will need to define before implementation.

    Frank Trovato
    Research Director, Infrastructure and Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    Leadership has invested significantly in a new ITSM tool and expects to see the benefits they were promised by the vendor and the procurement team.

    The ITSM project team needs to balance leadership expectations with the direct impact this project will have on IT staff and end users.

    Implementing an ITSM tool is a large project that is often highly complex in part because it requires input from a wide range of stakeholders: IT staff, end users, senior management, and vendors.

    A new ITSM tool will change how IT staff work and how users are serviced, and change is always difficult.

    Finally, implementing the new tool requires a migration from an existing tool without a pause in IT service availability. Incidents don’t take a week off while you execute the final product rollout.

    There may be hundreds of parameters to define and decisions to make, so identifying the full list of tasks early is critical to:

    • Identify the necessary stakeholders to provide input into implementation decisions.
    • Properly define scope and timelines.
    • Take advantage of the opportunity to review and improve processes as part of defining what will need to be configured in the new ITSM tool.

    Info-Tech Insight

    As with any large project, a key step is tackling it one bite at a time – but also understanding the size of the whole meal. This is where organizations often fail with ITSM implementations: not understanding upfront the volume of work required for a successful implementation.

    Your Challenge

    Organizations implementing a new ITSM tool often face these pitfalls:

    • Selecting the Wrong Resources: You need ITSM technology and process experts, because this is not just a technology project but also a process improvement opportunity. You will need to configure ITSM parameters and workflows in the new tool – which directly affects processes. Take advantage of that opportunity to fix pain points. For example, if your existing ticket categories are not effective, implement a better categorization scheme rather than just configure the same old, ineffective scheme.
    • Over-Reliance on the Vendor to Optimize Your Tool: Yes, the vendor will typically install and set up the tool but they will not fix your processes for you. On installation day, if you are not prepared with the categories, ticket templates, and so on that you wish to configure, your vendor will just go with the default or migrate your old parameters from your old ITSM tool.
    • Not Preparing for Data Migration: Data migration is complex. You need to determine what data to migrate, if any, and how that data will be mapped to the new environment. That takes planning and must be defined well before the vendor is ready to implement your tool.
    • Insufficient IT and End-User Training: A link to the ITSM tool manual is not enough. Staff and users need training on how your processes will be executed in the new tool.

    A survey of implementation challenges for ServiceNow’s customers

    26% Resistance to change

    43% Lacked a clear roadmap

    38% Planning for resources

    Source: Acorio, 2019

    Info-Tech’s approach

    Divide the implementation project into controllable phases for an effective implementation.

    Plan

    Define the scope of your project, identify and get buy-in from your stakeholders, and establish a timeframe for the implementation.

    Design & Build

    Identify existing process challenges and design workflows and ticket management to improve processes. Make decisions on data migrations and integrations for your new tool.

    Deploy & Train

    Create a rollout plan and communicate changes and improvements to users. Plan for the new tool deployment and monitor your solution.

    STOP: Use this blueprint after you have selected an ITSM solution

    Leverage our SoftwareReviews service and related blueprints to assist with ITSM tool selection, and then use this blueprint to plan the implementation.

    1. Evaluate solutions

    2. Select and purchase

    3. Implement (use this blueprint)

    Use our SoftwareReviews resources to evaluate solutions and vendors based on criteria such as features and customer service. Below are links to our ITSM software reviews:

    Use the following resources to help you make the case for funding and execute the purchase process:

    Your ITSM vendor or systems integrator will lead the technical implementation (e.g. software install and integration).

    As a result, your implementation plan needs to focus on preparing the information needed for implementation (e.g. ticket categories, workflow requirements) and organizational change management.

    This blueprint provides a methodology, checklist, and supporting templates to prepare for the implementation.

    Info-Tech’s methodology to build an ITSM Tool Implementation Plan

    1. Identify Scope, Stakeholders, and Preliminary Timeline

    2. Prepare to Implement Incident Management and Service Request Modules

    3. Create a Deployment Plan (Communication, Training, Rollout)

    Phase Steps

    1.1 Document define scope

    1.2 Define roles and responsibilities

    1.3 Identify preliminary timeline

    2.1 Review your existing solution and challenges

    2.2 Plan ticket management and workflow implementation

    2.3 Plan data migration, knowledgebase setup, and integrations

    2.4 Plan the module rollout

    3.1 Create a communication plan (for IT, users, and business leaders)

    3.2 Create a training plan

    3.3 Plan how you will deploy, monitor, and maintain the solution

    Phase Outcomes

    • RACI chart outlining high-level accountability and responsibilities for the project
    • Documenting timeline and team for the implementation project
    • ITSM tool implementation checklist
    • Strategy and identified opportunities to implement incident and service request modules
    • Documented communications and targeted training plan
    • Completed rollout plan and prepared to monitor your success metrics

    Insight summary

    Start with the assumption you don’t need to migrate old data

    ITSM tools are designed to support ITIL best practices

    Implement your new tool in stages to manage scope

    We all love data. We love being able to run reports showing trends, measuring changes over time, and highlighting pain points – but is your data from five years ago relevant to those assessments? Can you get by with just migrating open tickets and perhaps just the last year of critical tickets?

    Be ruthless in deciding what really needs to be in your active system to support incident matching, troubleshooting, or ongoing reporting.

    If you can’t make a strong case, don’t waste your time on old data. Remember, you can still save an exported copy or report of your old data if the need arises to search historical records.

    For organizations lacking process maturity, the tool’s default settings will often provide a good starting point. For example, a good ITSM tool will typically already be configured to follow best practices such as:

    • Separating incidents from service requests
    • Assigning resolution codes to solved tickets
    • Enabling routing based on categories

    Within those defaults, you will still need to decide your specific parameters – e.g. what your categories and resolution codes should be – so don’t blindly follow default settings but use them as a starting point.

    Start with the incident management and service requests modules. Those are typically the core of IT service management operations, so that should help realize benefits from the new tool sooner. In addition, incident management and service requests processes will support other ITSM processes such as asset management and problem management.

    Once those modules are implemented successfully (from a technology and process perspective), then start to implement your next core module (e.g. asset or change management), and continue to build from there.

    Blueprint deliverables

    This blueprint includes tools and templates to help you accomplish your goals:

    ITSM Tool Implementation Checklist

    Identify the most common decisions you will need to make and prepare for your implementation project.

    ITSM Tool Project Charter Template

    Review and edit the template to suit your project requirements

    The image contains a screenshot of the ITSM Tool Project Charter Template.
    The image contains screenshots of the ITSM Tool Implementation Checklist.

    ITSM Tool Deployment Plan Template

    Prioritize and prepare tool rollout plan

    The image contains a screenshot of the ITSM Tool Deployment Plan Template.

    ITSM Tool Training Schedule

    Use the checklist to create your new tool training roadmap

    The image contains a screenshot of the ITSM Tool Training Schedule.

    Blueprint benefits

    Benefits for IT

    Benefits for the business

    • Checklists and templates to support a smoother transition to the new ITSM tool.
    • Opportunity to review and optimize processes as part of the ITSM tool implementation project. A new tool with the same old processes will not achieve expected benefits.
    • Ability to plan and scope the project to avoid or reduce last-minute chaos.
    • Better planning means better results – specifically, ensuring that the implementation takes into account targeted business benefits.
    • Improved project management, and therefore better cost and effort estimates, by identifying required tasks upfront. This also provides the opportunity to re-scope or adjust timelines based on estimated effort.
    • Higher end-user satisfaction by executing a well-organized ITSM tool implementation.

    Measured value from using this blueprint

    Use this guide as an example to calculate your total cost savings from the ITSM tool implementation project.

    Phase 1

    Identify Scope, Stakeholders, and Preliminary Timeline

    Time, value, and resources saved by using Info-Tech’s methodology to define scope and plan your project

    E.g. 2 FTEs * 6 days * $80,000/year = $4,000/-

    Phase 2

    Prepare to Implement Incident Management and Service Request Modules

    Time, value, and resources saved by using Info-Tech’s methodology to build your solution strategy and determine configurations

    E.g. 2 FTEs * 8 days * $80,000/year = $5,400/-

    Phase 3

    Create a Deployment Plan (Communication, Training, Rollout)

    Time, value, and resources saved by using Info-Tech’s methodology to establish an effective communications roadmap and deploy tool

    E.g. 2 FTEs * 6 days * $80,000/year = $4,000/-

    Total Savings

    Total Savings

    Phase 1 + Phase 2 + Phase 3 = $13,400

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    Phase 1 Phase 2 Phase 3

    Call #1: Define scope, roles, responsibilities and timeline.

    Call #2: Review your existing solution and challenges.

    Call #3: Plan ticket management and workflow implementation.

    Call #4: Plan data migration, knowledgebase setup, and integrations.

    Call #5: Plan the module rollout.

    Call #6: Create a communication plan.

    Call #7: Create a training plan.

    Call #8: Plan how you will deploy, monitor, and maintain the solution.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 6 to 8 calls over the course of 3 to 6 months.

    Phase 1

    Identify Stakeholders, Scope, and Preliminary Timeline

    Phase 1 Phase 2 Phase 3

    Identify Stakeholders, Scope, and Preliminary Timeline

    Prepare to Implement Incident Management and Service Request Modules

    Create a Deployment Plan (Communication, Training, Rollout)

    This phase will walk you through the following steps:

    1. Define scope
    2. Define roles and responsibilities
    3. Identify preliminary timeline

    Step 1.1

    Define scope

    Activities

    1.1.1

    Use the Project Charter Template to capture project parameters

    1.1.2

    Leverage the Implementation Checklist to guide your preparation

    1.1.3

    Review goals that drove the ITSM tool purchase

    1.1.4

    Interview ITSM staff to identify current tool challenges and support organizational change management

    1.1.5

    Identify the modules and features you will plan to implement

    1.1.6

    Determine if data migration is required

    This step will walk you through the following activities:

    • Define the scope of the implementation project
    • Establish the future processes and functionalities the tool will support

    This step involves the following participants:

    • CIO
    • IT Director/Manager
    • Service Manager
    • Project Manager and the project team

    Outcomes of this step

    • Specifying the implementation project
    • Identifying the business units that are needed to support the project
    • Defining the ongoing and future service management processes the tool will support

    1.1.1 Use the Project Charter Template to capture scope, stakeholders, and timeline as outlined in Phase 1

    Follow the instructions in Phase 1 (step 1.1, 1.2, and 1.3) to gather information needed to create a project charter to define project parameters.

    Specific subsections are listed below and described in more detail in the remainder of this phase.

    1. Project Overview: Includes deliverables, scope, milestones, and success metrics.
    2. Governance and Management: Includes roles, responsibilities, and resource requirements.
    3. Project Risks, Assumptions, and Constraints: Includes risks and mitigation strategies as well as any assumptions and constraints.
    4. Project Sign-Off: Includes IT and executive sign-off (if required).

    The image contains a screenshot of the Project Charter Template.

    Download the ITSM Tool Implementation Project Charter Template

    1.1.2 Leverage the Implementation Checklist to guide your preparation

    The checklist tabs align to each phase of this blueprint.

    • Phase 1 (Tab 1) – Identify Stakeholders, Scope, and Preliminary Timeline
    • Phase 2 (Tab 2) – Prepare to Implement Incident Management and Service Request Modules
    • Phase 3 (Tabs 3+4) – Prepare to Implement Additional ITSM Modules (e.g. Change Management)
    • Phase 4 (deployment section in each tab) – Create a Deployment Plan (Communication, Training, Rollout)

    The image contains screenshots from the Implementation Checklist.

    Download the ITSM Tool Implementation Checklist

    1.1.3 Review goals that drove the ITSM tool purchase

    Identify the triggers for the selection and implementation of your new ITSM tool.

    Whether this is your first ITSM tool or a replacement for your old tool, the project was likely triggered by pain points that must be addressed by the new tool to improve your service desk. Having a clear understanding of these pain points throughout the implementation of your new tool will help to prevent them from reoccurring.

    Common ITSM pain points include:

    1. Poor communication with end users on ticket status.
    2. Lack of SLA automation to escalate issues to the appropriate channels.
    3. Poor self-service options for end users to perform simple requests on their own.
    4. Undeveloped knowledgebase for users to find answers to common issues.
    5. Lack of reporting or mistrust in reporting data.
    6. Lack of automation, including ticket templates.
    7. Overcomplicated ticket categories resulting in categories being misused.
    8. Overconfiguration prevents future upgrades.
    9. Lack of integration with other tools.

    If you haven't already selected an ITSM tool, leverage the IT Service Management Selection Guide to select the right tool.

    Download the IT Service Management Selection Guide

    1.1.4 Plan to interview staff to support organizational change management

    Identify challenges with the existing tool and processes as well as potential objections to the new tool.

    Incorporate this feedback in the implementation to drive buy-in and a successful rollout.

    Implementing a new ITSM tool will force changes in how IT staff do their work:

    • At a minimum, it means learning a new interface.
    • It could also mean leveraging features that improve IT operations but could change the process or tasks for the staff.
    • Their input on the current tool and process challenges can be critical for the project.
    • Solving at least some of their challenges can help bring them onboard to use this tool properly and follow associated process changes.

    Info-Tech Insight

    Keep management in the loop through every stage of the implementation process. They are the ones who are paying for the software, so they need to be informed throughout implementation and feel that their needs and feedback are being heard to prevent pushback further into the implementation.

    1.1.5 Identify the modules and features you will plan to implement

    Consider these factors when deciding what modules and features you want to implement:

    • Specific ITSM modules based on the recommended order and any unique business requirements
    • Key features that drove the tool purchase and address key issues
    • High-level process changes needed to address challenges and realize expected benefits from the new ITSM tool (e.g. if a key goal was automated ticket routing based on categories, then the project needs to include developing a good categorization scheme)

    Recommended order for implementation:

    1. Incident Management and Service Request
    2. This is the core of service management and typically has the highest impact on the organization. Include knowledgebase development as part of this implementation.

    3. Change Management
    4. A foundational component of service management, it allows organizations to minimize disruptions to IT services when making changes to services and critical systems.

    5. Asset Management
    6. A foundational component of service management, it allows organizations to track their assets’ locations, how they are used, and when changes are made to them.

    1.1.6 Determine if data migration is required

    If you are switching from a previous ITSM tool, carefully weigh the pros and cons as well as the necessity of migrating historical transactional data before deciding to import it into the new tool.

    Importing your old transactional data will allow you to track metrics over time, which can be valuable for data analysis and reporting purposes.

    However, ask yourself what the true value of your data is before you import it.

    You will not get value out of migrating the old data if:

    • You have incomplete or inaccurate data (a high percentage of incidents did not have tickets created in the old system).
    • The categorization of your old tickets was not useful or was used inconsistently.
    • You plan on changing the ticket categorization in the new system.

    “Don’t debate whether you can import your old data until you’ve made sure that you should.”

    – Barry Cousins, Practice Lead at Info-Tech Research Group

    Info-Tech Insight

    If you decide to migrate your data, keep in mind that it can be a complex process and proper time should be budgeted for planning, structuring the data, and importing and testing it.

    Step 1.2

    Define roles and responsibilities

    Activities

    1.2.1

    Key internal roles and responsibilities

    1.2.2

    Key external roles and responsibilities

    This step involves the following participants:

    • CIO
    • IT Director/Manager
    • Service Manager
    • Project Manager and the project team

    Outcomes of this step

    • Decision on whether to hire professional services for the implementation
    • Clearly defined roles and responsibilities for the project

    1.2.1 Identify key internal roles and responsibilities

    Review the tasks outlined in the Implementation Checklist to help you identify appropriate roles and specific staff that will be needed to execute this project.

    Project Role

    Description

    RACI

    Assigned To

    Executive Sponsor

    Liaison with the executive team (the CIO would be a good candidate for this role).

    Accountable for project completion.

    Approves resource allocation and funding.

    A, C

    Name(s)

    Project Manager

    Manages the project schedule, tasks, and budget.

    May act as a liaison between executives and the project-level team.

    R

    Name(s)

    Product Owner

    Liaison with the vendor.

    SME for the new tool.

    Provides input to tool configuration decisions.

    Manages the tool post-implementation.

    R

    Name(s)

    Process Owners

    Define current processes.

    Provide input to identifying current-state process challenges to address and potential changes as part of the new tool implementation.

    R

    Name(s)

    Service Desk Manager

    Provides input to tool configuration decisions.

    Manages and trains service desk agents to use new tool and processes.

    R

    Name(s)

    ITSM Tool Core Users (e.g. Service Desk Technicians)

    Provide input to identifying current-state process challenges to address.

    Provide input to tool configuration decisions.

    C

    Name(s)

    RACI = Responsible, Accountable, Consulted, and Informed

    Assign individuals to roles through each step of the implementation project in the governance and management chart in the Project Charter Template.

    Download the Project Charter Template

    1.2.2 Key external roles and responsibilities

    Determine whether you will engage professional services for the implementation.

    There are three main ways to implement your ITSM tool

    Implemented in-house by own staff

    Implemented using a combination of your own staff and your ITSM tool vendor

    Implemented by professional services and your ITSM tool vendor

    DIY Implementation

    Adopting a DIY implementation approach can save money but could draw out your implementation timeline and increase the likelihood of errors. Carefully consider your integration environment to determine your resourcing capabilities and maturity.

    Vendor Implementation

    In most cases, your vendor will support or execute the technical implementation based on your requirements. Use this blueprint to help you define those requirements.

    Professional Services

    Opting for professional services may result in a shorter implementation period and fewer errors but may also deny your IT staff the opportunity to develop the skills necessary to maintain and configure the solution in the future.

    Clarify the role of the professional services vendor before acquiring their services to make sure your expectations are aligned. For example, are you hiring the vendor for tool installation, tool configuration, or tool customization or for training your end users?

    Step 1.3

    Identify preliminary timeline

    Activities

    1.3.1

    Identify preliminary internal target dates

    1.3.2

    Identify target dates for vendor involvement

    This step involves the following participants:

    • CIO
    • IT Director/Manager
    • Service Manager
    • Project Manager and the project team

    Outcomes of this step

    • Specifying the target dates for the implementation project

    1.3.1 Identify preliminary internal target dates

    Identify high-level start and end dates based on the following:

    • Existing process maturity
    • Process changes required (to address process issues or to realize targeted benefits from the new tool)
    • Data migration requirements (if any)
    • Information to prepare for the implementation (review the Checklist Tool)
    • Vendor availability to support implementation
    • Executive mandates that have established specific milestone dates

    Create an initial project schedule:

    • Review the remaining phases of this blueprint for more details on the implementation planning steps.
    • Review and update the Checklist Tool to suit your implementation goals and requirements.
    • Assign task owners and target dates in the Checklist Tool.

    Note: This is a preliminary schedule. Monitor progress as well as requirement changes, and adjust the scope or schedule as needed.

    Update the columns in the Checklist Tool to plan and keep track of your implementation project.

    1.3.2 Identify target dates for vendor involvement

    Plan when you'll be ready for the vendor and identify the key points for when the vendor will come in.

    Are dates already scheduled for tool installation/configuration/customization?

    If yes:

    • Clarify vendor expectations for those target dates (i.e. what do you have to have prepared in advance?).
    • Determine options to adjust dates if needed.

    If no:

    • Defer scheduling until you have reviewed and updated the Implementation Checklist. The checklist will help you determine your readiness for vendor involvement.

    Consider if the vendor will implement the ITSM tool in one go or if they will help setup the tool in stages. Keep in mind that ITSM implementation projects typically take anywhere from 9 weeks to 16 months and plan accordingly depending on the maturity of your processes and the modules and features you plan to implement.

    Use your internal target dates to estimate when you'll be ready for the vendor to set up the tool and implement the setting that you've defined.

    Phase 2

    Prepare to Implement Incident Management and Service Request Modules

    Phase 1Phase 2Phase 3

    Identify Stakeholders, Scope, and Preliminary Timeline

    Prepare to Implement Incident Management and Service Request Modules

    Create a Deployment Plan (Communication, Training, Rollout)

    This phase will walk you through the following steps:

    • Review your existing solution and challenges
    • Plan ticket management and workflow implementation
    • Plan data migration, knowledgebase setup, and integrations
    • Plan the module rollout

    Additional Info-Tech Research

    The Implementation Checklist Tool summarizes what you need to prepare for the implementation. If you need more assistance with developing the underlying ITSM processes, use the tools, templates, and guidance in these blueprints.

    Standardize the Service Desk

    Build core elements of service desk operations, including incident management and service request workflows, ticket categorization schemes, and ticket prioritization rules.

    Optimize the Service Desk With a Shift-Left Strategy

    Implement tools such as an improved knowledgebase and self-service portal to enable lower tier support staff and end users to resolve incidents or fulfill service requests.

    Incident and Problem Management

    Develop a critical incident management workflow and create standard operating procedures for problem management.

    Step 2.1

    Review your existing solution and challenges

    Activities

    2.1.1

    Configure, don’t customize, your solution to minimize risk

    2.1.2

    Review your existing process and solution challenges for opportunities for improvement

    This step involves the following participants:

    1. Service Manager and Service Desk Team
    2. Project Manager and Core Project Team
    3. Subject Matter Experts and Tool Administrator, if applicable

    2.1.1 Configure your tool, don’t customize it

    Your tool may require at least some basic configurations to align with your processes, but in most cases customization of the tool is not recommended.

    Configuration

    Customization

    • Creating settings and recording reference data in the tool within the normal functionality of the tool.
    • Does not require changes to source code.

    Documentation of configurations is key.

    Failure to document configurations and the reasons for specific configurations will lead to:

    • Difficulty diagnosing incidents and problems.
    • Difficulty reconstructing the tool in the case of disaster recovery.
    • One administrator having all of the knowledge of configurations and taking it with them if they leave the organization.
    • Configurations that become useless in the future are maintained and lead to unnecessary work if documentation is not regularly reviewed.
    • Extending the functionality of the tool beyond what it was originally intended to do.
    • Requires manual changes to source code.

    Carefully consider whether a customization is necessary.

    • Over-customization of your ITSM tool code may lock you into your current version of the software by preventing future patches and upgrades, leaving you with outdated software.
    • Over-customization becomes particularly risky when your ITSM solution is integrated with other tools, as a loss in functionality of your ITSM tool resulting from over-customization may cause disruptions across the business.
    • If your selected ITSM solution doesn’t do something you think you need it to do, carefully evaluate whether you really need that customization and if the trade-off of potentially limiting future innovation is worth it.

    Case Study

    Consider the consequences of over-customizing your solution.

    INDUSTRY: Education

    SOURCE: IT Director

    Situation

    Challenge

    Resolution

    A few years ago, the service management office at the university decided to switch ITSM tools, from Computer Associates to ServiceNow.

    They wanted the new tool to behave similarly to what they had previously, so they made a lot of customized code changes to ServiceNow during implementation.

    As a result of the customizations, much of the functionality of the tool was restricted, and the upgrades were not compatible with the solution.

    The external consultants who performed the customizations and backend work did not document their changes, leaving the service management team without an understanding of why they did what they did.

    The service management team is working with ServiceNow to slowly unravel the custom code to try to get the solution back to having out-of-the-box functionality, with the ability to be upgraded.

    It has been challenging to do this work without disrupting the functionality of the tool.

    Over-customization led to the organization paying for features they couldn’t use and spending more time and resources down the road to try to reverse the changes.

    2.1.2 Review your existing process to identify opportunities for improvement

    Documenting your existing processes is an effective method for also reviewing those processes and identifying inefficiencies. Take advantage of this project to fix your process issues.

    1. Document your existing workflows for incident management and service requests.
    2. Review your workflows to identify opportunities to optimize through process refinement (e.g. clarifying escalation guidelines) or by leveraging features in your new ITSM tool (e.g. improved workflow automation).
    3. Similarly, review the challenges identified through stakeholder interviews: is there an opportunity address those challenges through process changes or leveraging your new ITSM tool?
    4. Address those challenge and issues as you execute the tasks outlined in the Implementation Checklist Tool. For example, if inconsistent ticket routing was identified as a challenge due to a vague categorization scheme, that’s a driver to review and update your scheme rather than just carry forward your existing scheme.

    Regardless of your existing ITSM maturity, this is an opportunity to review and optimize existing processes. Even the most-mature organizations can typically find an area to improve.

    Case Study

    Reviewing and defining processes before the implementation can be a project in itself.

    INDUSTRY: Defense

    SOURCE: Anonymous

    Situation

    Challenge

    Resolution

    The organization was switching to a new ITSM tool. To prepare for the implementation, they gathered stakeholders, held steering committee meetings, and broke down key processes, teams, and owners before even meeting with the larger group.

    They used a software tool called InDesign to visibly map service requests and incidents and determine who owned each process and where the handoffs were.

    The service catalog also needed to be built out as they were performing certain services that didn’t relate to anything in the catalog.

    The goal for the implementation was to have it completed within a year, but it ended up going over, taking 15 to 16 months to complete.

    Most of the time was spent identifying processes upfront before configuring the tool. There were difficulties defining processes as well as agreeing on who owned a process or service.

    There were also difficulties agreeing upon who the valid stakeholders were for processes, as groups were siloed.

    The major obstacles to implementation were therefore people and process, not the product.

    New processes were introduced, and boundaries were placed around processes that were being done in the past that weren’t necessary.

    Once the groups were able to agree upon process owners, the tool configuration and implementation itself did not pose any major difficulties.

    After the implementation, the tool was continually improved and sharpened to adapt to processes.

    Step 2.2

    Plan ticket management and workflow implementation

    Activities

    2.2.1

    Define ticket classification values

    2.2.2

    Define ticket templates for common incident types and service requests

    2.2.3

    Plan your ticket intake channels

    2.2.4

    Design a self-service portal

    2.2.5

    Plan your knowledgebase implementation in the new tool

    2.2.6

    Design your ticket status notification processes and templates

    2.2.7

    Identify required user accounts, access levels, and skills/ service groups

    2.2.8

    Review and update your workflows and escalation rules

    2.2.9

    Identify desired reporting and relevant metrics to track

    This step involves the following participants:

    1. Service Manager and Service Desk Team
    2. Project Manager and Core Project Team
    3. Subject Matter Experts and Tool Administrator, if applicable

    Outcomes of this step

    Tool is designed and configured to support service desk processes and organization needs.

    Checklist overview

    The ITSM Tool Implementation Checklist will help you estimate resources required to support demand, based on your ticket volume.

    TAB 2

    TAB 3

    TAB 4

    Incident and Service Modules Checklist

    Change Management Modules

    Asset Management Modules

    The image contains a screenshot of the ITSM Tool Implementation Checklist, tab 2. The image contains a screenshot of the ITSM Tool Implementation Checklist, tab 3. The image contains a screenshot of the ITSM Tool Implementation Checklist, tab 4.

    How to follow this section:

    The following slides contain a table that explains why each task in the module matters and what needs to be considered. Complete the checklist modules referring to this section.

    2.2.1 Define ticket classification values

    Ticket classification improves reporting, workflow automation, and problem identification.

    Review your existing ticket classification values to identify what to carry forward, drop, or change. For example, if your categorization scheme has become too complex, this is your opportunity to fix it; don’t perpetuate ineffective classification in the new tool.

    Task

    Why this matters

    Ticket Types (e.g. incident, service request, change)

    In particular, separating incidents from service requests supports appropriate ticket prioritization and resourcing; for example, an incident typically should be prioritized, and service requests can be scheduled.

    Categories (e.g. network, servers)

    An effective categorization scheme can help identify ticket assignment and escalation (e.g. network tickets would be escalated to the network team), and potentially automate ticket routing.

    Resolution Codes

    Indicates how the ticket was resolved (e.g. configuration change). Supports another layer of trends reporting and data to support problem identification.

    Status Values

    Shows what status the ticket is currently in (e.g. if the ticket has been opened or assigned to an agent, if it is in progress or has been resolved).

    2.2.2 Define ticket templates for common incident types and service requests

    Ticket templates are the backbone of automation. A common complaint is that tickets take too much time. However, a little planning can reduce the time it takes to create a ticket to less than a minute.

    Task

    Why this matters

    Identify common recurring tickets that would be good candidates for using ticket templates (e.g. common service requests and incidents).

    Some common recurring tickets such as password reset, new laptop, and login requests would be great candidates to create ticket templates for. Building a deck of standard rules to follow for common tickets saves time and reduces the number of tickets generated.

    Design ticket templates and workflows for common tickets (e.g. fields to auto-populate as well as routing and secondary tickets for onboarding requests).

    Differentiating between recurring ticket types and building pre-defined templates not just saves time but can also have major impact on how service is delivered as this will also help separate tickets. Creating these templates beforehand will also let you communicate effectively with the users at a time when all hands need to be on deck.

    2.2.3 Plan your ticket intake channels

    Consider possible ticket intake channels and evaluate their relevance to your organization.

    Task

    Why this matters

    Decide on ticket intake channels (e.g. phone, email, portal, walk-ups).

    Each standard intake channel serves its own purposes and can be extremely valuable under different circumstances. For example, walk-ins may be inefficient but necessary for critical incidents.

    If using email, identify/create the email account and appropriate permissions.

    Email works well if it automatically creates a ticket in your ticketing system, but users often don’t provide enough information in unstructured emails. Use required fields and ticket templates to ensure the ticket is properly categorized.

    If using phone, identify/create the phone number and appropriate integrations.

    Maintain the phone for users from other locations and for critical incidents but encourage users who call in to submit a ticket through the portal.

    If using a portal, determine if you will leverage the tool's portal or an existing portal.

    The web portal is the most efficient intake method, but ensure it is user friendly before promoting it.

    If using chat, determine whether you will use the tool's chat or an existing chat mechanism and whether integrations are needed.

    Another way to improve support experience for your customers is through live chat. This gives your customers an easy way to reach you at the exact moment they have questions or issues they can't fix.

    2.2.4 Design a self-service portal

    Map your processes to the tool by defining your ticket input, categories, escalations, and workflows.

    Don’t forget about the client-facing side of the solution. It is important to build a self-serve portal that has an easy-to-use interface where the user can easily find the category for the help they’re looking for. It is also necessary to educate the users on where to find the portal or how to access it.

    Task

    Why this matters

    Identify components to include (e.g. service request, incident, knowledgebase).

    Identify the categories you want the users to be able to access in the portal. Finding the right balance of components to include is very important to make it easy for your users to find all the relevant information they are looking for. This could mean fewer tickets.

    Plan the input form for service requests and incidents (e.g. mandatory fields, optional fields, drop-down lists).

    Having relevant and specific fields helps to narrow down your user’s issues and provides more information on how to allocate these tasks among the service desk resources and reduce time to further investigate the issues.

    If service catalog will be attached to the ITSM tool, define routing and workflows; if there is no existing service catalog, start a separate project to define it (e.g. services, SLAs).

    A centrally defined guide enables a uniform quality in service and clarifies the responsible tier for the ticket. Identify services that will be included in the catalog, and if the information is attached to the ITSM tool, plan for how will the routing and workflows be structured.

    Plan design requirements (e.g. company branding).

    Ensure that the portal is aligned with the company’s theme and access format. Work with the vendor to customize the branding on the tool, design requirements, images.

    2.2.5 Plan your knowledgebase (KB) implementation in the new tool

    Evaluate how onerous KB migration will be for you. Is this an opportunity to improve how the KB is organized?

    Task

    Why this matters

    Define knowledgebase categories and structure.

    Establishing knowledgebase structures or having them separated into categories makes it easy for your clients to find them (e.g. do they align with ticket categories?).

    Identify existing knowledgebase articles to add to the new tool.

    Review existing knowledgebase articles at a high level (e.g. Do you carry forward all existing articles? Take an opportunity to retire old articles?).

    Define knowledgebase article templates.

    Having standardized templates makes it an easy read and will increase its usage (e.g. all knowledgebase articles for recurring incidents will follow the same template).

    Build knowledgebase article creation, usage, and revision workflows.

    Decide how new knowledgebase articles will be built and added to the tool, how it will be accessed and used, and also any steps necessary to update the articles.

    Plan a knowledgebase feedback system.

    For example, include a comments section, like buttons, and who will get notified about feedback.

    2.2.6 Design your ticket status notification processes and templates

    Task

    Why this matters

    Identify triggers for status notifications. Balance the need for keeping users informed versus notifications being treated as spam.

    Identify when and where the users are informed to make sure you are not under or over communicating with them. Status notifications and alerts are a great way to set or reset expectations to your users on the delivery or resolution on their tickets. For example, auto-response for a new ticket, or status updates to users when the ticket is assigned, solved, and closed.

    If using email notifications, design email templates for each type of notification.

    Creating notification templates is a great way to provide standardized service to your clients and it saves time when a ticket is raised. For example, email templates for new ticket, ticket updated, or ticket closed.

    Plan how you will enable users to validate the ticket or resolve request without causing the ticket to reopen.

    For example, in the ticket solved template, provide a link to close the ticket, and ask the user to reply only if they wish to re-open the ticket (i.e. if it's not resolved). May require consulting with the ITSM tool vendor.

    Decide if customer satisfaction surveys will be sent to end users after their ticket has been closed.

    Discuss if this data would be useful to you if captured to improve/modify your service.

    If customer satisfaction surveys will be used, design the survey.

    Discuss what data would be useful to you if captured and create survey questionnaires to capture that data from your clients. For example, how many questions, types of questions, whether sent for every ticket or randomly.

    2.2.7 Identify required user accounts, access levels, and skills/service groups

    Task

    Why this matters

    Define Tier 1, 2, and 3 roles and their associated access levels.

    Having pre-established roles for different tiers and teams is a great way to boost accountability and also helps identify training requirements for each tier. For example, knowledgebase training for tier 1 & 2, reporting/analytics for IT manager.

    Identify skill groups or support teams.

    Establishing accountability for all the support practices in the service desk is important for the tickets to be effectively distributed among the functional individuals and teams. Identifying the responsibilities of groups help execute shift-left strategy.

    Identify required email permissions for each role.

    For example, define which roles get permissions to include status updates or other ticket information in their emails or to support automated notifications and other integrations with email.

    Determine how you will import users into the new tool.

    Identify the best way to migrate your users to the new tool whether it be by importing from Active Directory or the old ITSM tool, etc.

    2.2.8 Review and update your workflows and escalation rules

    Task

    Why this matters

    Document your future-state incident and service request workflows that will incorporate the above planning as well as improvements supported by the new tool.

    Document your workflows and review it to make sure it’s accurate and also to help you with communicating process expectations to all the stakeholders.

    Review the future-state workflows.

    This helps you validate that the planned changes meet your goals and identify any additional required changes.

    Update ticket classification values, templates, and ticket intake as needed based on the future-state workflows.

    Documenting your process might uncover additional requirements for classification, templates, etc. Ensure that the classification templates and related parameters align with the workflows.

    Identify opportunities to further automate workflows by leveraging the new tool.

    The process of reviewing the workflows often helps identify manual processes, labor intensive processes, very repetitive processes, etc. These can be opportunities to further automate your processes.

    2.2.9 Identify desired reporting and relevant metrics to track

    Documentation of key metrics of service desk performance and end-user satisfaction that you wish to improve through the new solution is key to evaluate the success of your implementation.

    Task

    Why this matters

    Define the metrics you will track in the new ITSM tool.

    It is critical to ensure that your tool will be able to track necessary metrics on KPIs from the start and that this data is accurate and reliable so that reporting will be relevant and meaningful to the business. Whether you use your own tool for tracking metrics or an external tool, ensure that you can get the internal data you need from the ITSM tool. This may include measures of Productivity (e.g. time to respond, time to resolve), Service (e.g. incident backlog, customer satisfaction), and Proactiveness (e.g. number of knowledgebase articles per week).

    Determine what reports you want to generate from data collected through the tool.

    It’s not enough to simply set up metrics, you have to actually use the information. Reports should be analyzed regularly and used to manage costs and productivity, improve services, and identify issues. Ensure that your service desk team contributes to the usefulness of reporting by following processes such as creating tickets for every incident and request, categorizing it properly, and closing it after it’s resolved with the proper resolution code.

    Identify the information and metrics to include in the ITSM tool's dashboards.

    A dashboard helps drive accountability across the team through greater visibility. Decide what will be reported on the dashboard. For example, average time to resolution, number of open tickets with subtotals for each priority, problem ticket aging.

    Step 2.3

    Plan data migration and integrations

    Activities

    2.3.1

    Create a data migration and archiving plan

    2.3.2

    Identify and plan required integrations

    This step involves the following participants:

    1. Service Manager and Service Desk Team
    2. Project Manager and Core Project Team
    3. Subject Matter Experts and Tool Administrator, if applicable

    Outcomes of this step

    • Decisions made around data migration, integrations, automation, and reporting.
    • ITSM Tool Implementation Checklist

    2.3.1 Create a data migration and archiving plan

    Task

    Why this matters

    Document your future-state incident and service request workflows that will incorporate the above planning as well as improvements supported by the new tool.

    Document your workflows and review them to make sure they’re accurate and also to help you with communicating process expectations to all the stakeholders.

    Review the future-state workflows.

    This helps you validate that the planned changes meet your goals and identify any additional required changes.

    Update ticket classification values, templates, and ticket intake as needed based on the future-state workflows.

    Documenting your process might uncover additional requirements for classification, templates, etc. Ensure that the classification templates and related parameters align with the workflows.

    Identify opportunities to further automate workflows leveraging the new tool.

    The process of reviewing the workflows often helps identify manual processes, labor-intensive processes, very repetitive processes, etc. These can be opportunities to further automate your processes.

    2.3.2 Identify and plan required integrations

    Consider and plan for any necessary integrations with other systems.

    A major component of the implementation that should be carefully considered throughout is if and how to integrate your ITSM tool with other applications in the environment.

    Task

    Why this matters

    Identify the systems you need to integrate with your ITSM tool (e.g. asset discovery tools, reporting systems).

    Regardless of whether your solution will be configured and installed on-premises or as a SaaS, you need to consider the underlying technology to determine how you will integrate it with other tools where necessary.

    Businesses may need to integrate their ITSM tool with other systems including asset management, network monitoring, and reporting systems to make the organization more efficient.

    Determine how data will flow between systems.

    Carefully evaluate the purpose of each integration. Clients often want their ITSM tool to be integrated with all of the available data in another application when they only need a subset of that data to be integrated.

    Consider not only which systems you need to integrate with your ITSM tool but also who the owners of those systems are and which way the data needs to flow.

    Plan the development, configuration, and testing of integrations.

    As with other aspects of the implementation, configure and test the integrations before going live with the tool.

    Step 2.4

    Plan the module rollout

    Activities

    2.4.1

    Repeat the methodology for additional ITSM modules, using the Checklists as a guide

    2.4.2

    Leverage these blueprints to help you implement change and asset management modules

    This step involves the following participants:

    1. Service Manager and Service Desk Team
    2. Project Manager and Core Project Team
    3. Subject Matter Experts and Tool Administrator, if applicable

    Outcomes of this step

    Identify and plan for additional modules and features to be implemented

    2.4.1 Repeat the methodology for additional ITSM modules, using the Checklists as a guide

    The preparation completed in Phase 1 and 2 to this point provide a foundation for additional ITSM modules.

    This blueprint starts with the incident management and service request modules as those are typically implemented first since they are the most impactful to day-to-day IT service management.

    In addition, the methodology outlined in Phase 1 and 2 to this point provides a model to follow for additional ITSM modules:

    • If you did not already account for additional modules in Phase 1, then repeat the steps in Phase 1 to define scope, stakeholders, and timeline.
    • The Implementation Checklist Tool provides tabs for Change Management and Asset Management to outline the specific details for those topic areas, but they follow the same high-level steps as Phase 2 (e.g. review existing processes, design relevant workflows).
    • If you are planning to implement other modules (e.g. Problem Management), create additional tabs in the Implementation Checklist Tool as needed, using the existing tabs as a base.
    The image contains screenshots of the ITSM checklists.

    2.4.2 Leverage these blueprints to help you implement change and asset management modules

    The Implementation Checklist Tool summarizes what you need to prepare for the implementation. If you need more assistance with developing the underlying ITSM processes, use the tools, templates, and guidance in the blueprints below.

    Optimize IT Change Management

    Define change management workflows, key roles, and supporting elements such as request-for-change forms based on best practices.

    Implement Hardware Asset Management

    Create an SOP and associated process workflows to streamline and standardize hardware asset management.

    Implement Software Asset Management

    Build on a strong hardware asset management program to also properly track and manage software assets. This includes managing software licensing, finding opportunities to reduce costs, and improving your software audit readiness.

    Phase 3

    Create a Deployment Plan (Communication, Training, Rollout)

    Phase 1Phase 2Phase 3

    Identify Stakeholders, Scope, and Preliminary Timeline

    Prepare to Implement Incident Management and Service Request Modules

    Create a Deployment Plan (Communication, Training, Rollout)

    This phase will walk you through the following steps:

    1. Create a communication plan (for IT, users, and business leaders)
    2. Create a training plan
    3. Plan how you will deploy, monitor, and maintain the solution

    ITSM Tool Training Schedule

    ITSM Tool Deployment Plan Template

    Use the template to document and plan the communications and training needs prior to deployment of the new tool.

    The image contains a screenshot of the ITSM Tool Training Schedule.

    Use the deployment plan template to document the strategy and decisions made for making the transition to the new ITSM tool.

    The image contains a screenshot of the ITSM Tool Deployment Plan Template.

    Download the ITSM Tool Training Schedule

    Download the ITSM Tool Deployment Plan Template

    Step 3.1

    Create a communication plan (for IT, users, and business leaders)

    Activities

    3.1.1

    Ensure there is strong communication from management throughout the implementation and deployment

    3.1.2

    Base your communications timeline on a classic change curve to accommodate natural resistance

    3.1.3

    Communicate new processes with business leaders and end users to improve positive customer feedback

    This step involves the following participants:

    1. CIO/IT Director
    2. IT Manager
    3. Service Manager

    Outcomes of this step

    Plan for communicating the change with business executives, service desk agents, and end users.

    3.1.1 Ensure there is strong communication from management throughout the implementation and deployment

    A common contributing factor for unsuccessful implementation is a lack of communication around training, transitioning, and deploying the new tool.

    Common Pitfall:

    Organizational communication and change management should have been ongoing and tightly monitored throughout the project. However, cut-over is a time in which critical communication regarding deployment and proper user training can be derailed when last-minute preparations take priority. Not only will general user frustration increase, but unintended process workarounds will emerge, eroding system effectiveness.

    Mitigating Actions:

    Deliver training for end users that will be engaged in testing. For all other users, deliver training prior to go-live to avoid the risk of training too early (where materials may not be ready or users are likely to forget what was learned). If possible, host quick refresher training a week or two prior to go-live.

    Aim to communicate the upcoming go-live. The purpose of communication here is to reiterate expectations, complexities, and ramifications on business going forward. Alleviate performance anxiety by clearly stating that temporary drops in productivity are to be expected and that there will be appropriate assistance throughout the transition period.

    Transition: Have the project/program manager remain on the project team for some time after deployment to oversee and assure smooth transition for the organization.

    Complete training: Have a clear plan for training those users that were missed in the first round of training as well as a plan for ongoing training for those that require refresher training, for new joiners to your organization, and for any training requirements that result from subsequent upgrades.

    3.1.2 Base your communications timeline on a classic change curve

    It’s important to communicate the change ahead of the implementation, but also to reinforce that communication after implementation to recover from any resistance that occurs through the implementation itself.

    Stages in a typical change curve:

    1. Change is announced. Some people are skeptical and resistant, but others are enthusiastic. Most people are fence sitters; if they trust senior leadership, they will give the benefit of the doubt and expect change to be good.
    2. Positive sentiment declines as implementation approaches. Training and other disruptions take people’s time and energy away from their work. Project setbacks and delays take credibility away from project leaders and seem to validate the efforts of saboteurs and skeptics.
    3. Overall sentiment begins to improve as people adjust and see real progress made. Ideally, early successes or quick wins neutralize saboteurs and convert skeptics. At the very least, people will begin to accept and adapt to new realities.
    4. If the project is successful and communication is reinforced after implementation, sentiment will peak and level out over time as people move on to other projects.

    The image contains a diagram of a change curve.

    1. Honeymoon of “Uninformed Optimism”: Tentative support and enthusiasm for change before people have really felt or understood what it involves.
    2. Backlash of “Informed Pessimism” (leading to “Valley of Despair”): People realize they’ve overestimated the benefits (or how soon they’ll be achieved) and underestimated the difficulty of change.
    3. Valley of Despair and beginning of “Hopeful Realism”: Sentiment bottoms out and people begin to accept the difficulty (or inevitability) of change.
    4. Bounce of “Informed Optimism”: More optimism and support when people begin to see bright spots and early successes.
    5. Contentment of “Completion”: Change has been successfully adopted and benefits are being realized.

    3.1.3 Communicate new processes

    1. Communicate with business unit leaders and users:
    • Focus on the benefits for end users to encourage buy-in for the change.
    • Include preliminary instructions with a date for training sessions.
  • Train users:
    • Teach users how to contact the service desk and submit a ticket.
    • Set expectations for IT’s response.
    • Record all your training sessions so it can used for recursive training.
  • Enforce:
    • IT must point users toward the new process, but ad hoc requests should still be expected at first. Deal with these politely but encourage all employees to use the new service desk ticketing process, if applicable.
  • Measure success:
    • Continue to adjust communications if processes aren’t being followed to ensure SLAs can be met and improved.

    “Communicate with your end users in phase 1 to let them know what will be changing, get feedback and buy-in, and inform them that training will be happening, then ensure you train them once the tool is installed. A lot of times we’ll get our tool set up but people don’t know how to use it."

    – Director of ITSM Tools

    Info-Tech Insight

    If there is a new process for ticket input, consider using a reward system for users who submit a ticket through the proper channel ;(e.g. email or self-serve portal) instead of their old method (e.g. phone). However, if a significant cultural change is required, don’t expect it to happen right away.

    Step 3.2

    Create a training plan

    Activities

    3.2.1

    Target training session(s) to the specific needs of your service desk, service groups, IT managers

    3.3.1

    Provide training (tool/portal and process changes)

    3.4.1

    Choose an appropriate training delivery method that will focus on both process and tool

    This step involves the following participants:

    • IT Director
    • Project Manager
    • Service Desk Manager

    Outcomes of this step

    • Training modules for different users of the tool.
    • Assignment of training modules to users and schedule for completion.

    3.2.1 Target training session(s) to the specific needs of your service desk and IT staff

    Create targeted role-based training programs for your service desk analysts; they care about the portion of the solution they are responsible for, not the functionality that is irrelevant to their job.

    Create and execute a role-based training program by conducting training sessions for targeted groups of users, training them on the functions they require to perform their jobs.

    Use a table like this one to help identify which roles should be trained on which tasks within the ITSM tool.

    The image contains a table as an example of identifying which roles should be trained within the ITSM tool.

    The need for targeted training:

    • IT personnel may challenge the need for training. They may feel they don’t require training on the use of tools or that they don’t have time to dedicate to training when there is so much work to be done.
    • Providing targeted training focused on only the functions of the solution that each tier is responsible for can help to overcome that resistance.
    • Targeted training may include basic training for level 1 technicians and more advanced in-depth training for administrators, power users, or level 2/3 technicians.

    Info-Tech Insight:

    Properly trained users promote adoption and improve results. Always keep training materials updated and available. New employees, new software integration, and internal promotions create opportunities for training employees to align the ITSM tool with their roles and responsibilities.

    3.2.2 Provide training

    Training must take place before deployment to ensure that both your service desk agents and end users will use the tool in the way it was intended and improve end-user satisfaction.

    • Implementing a new ITSM tool will likely bring with it at least some degree of organizational and cultural change. It’s important to manage that change through proper training. Your training needs will vary depending on the maturity of the organization and the amount of cultural and process change being implemented.
    • If this is your first ITSM solution with many new changes for staff to take on board, it will be important to dedicate training time not only before deployment but also several months after the initial installation, to allow staff to gain more experience with the new tool and processes and formulate questions they may not think to ask during implementation.
    • A training plan should take into account not only training needs for the implementation project but also any ongoing training requirements that may be required. This may include:
      • Training for new personnel.
      • Training on any changes to the tool.
      • Training on any new processes the tool will support.
    • Better agent training will lead to better performance and improved end-user satisfaction.

    The image contains a screenshot of a graph to demonstrate training hours and first contact resolution.

    The blue graph line charts new-agent training hours against first contact resolution and the orange graph line charts the trendline for the dataset.

    Source: MetricNet, 2012

    3.2.3 Choose an appropriate training delivery method

    Training should include use cases that focus on not only how the tool’s interface works but also how the tool should be used to support process activities.

    1. Training through use cases highlights how the tool will support the user in role-based tasks.
    2. If new processes are being introduced along with the tool, training should cover both in an integrated way.
    3. Team leadership and management commitment ensures that all agents take their training seriously and are prepared for all use cases by the deployment date.

    Trainer-led sessions:

    Self-taught sessions:

    • May take the form of onsite or video training.
    • Vendor may train administrators or managers, who will later train remaining staff.
    • Allows for interaction with the trainer and greater opportunity to ask questions.
    • Difficult for large organizations with many users to be trained.
    • Delivered via computer-based training applications, typically through a web browser.
    • May include voice training sessions combined with exercises and quizzes.
    • More feasible for large, distributed organizations with less flexible schedules.

    Info-Tech Insight:

    Ensure that the training demonstrates not only how the tool should be used, but also the benefits it will provide your staff in terms of improved efficiency and productivity. Users who can clearly see the benefits the tool will provide for their daily work will accept the tool more readily and promote it across the organization.

    Step 3.3

    Plan how you will deploy, monitor, and maintain the solution

    Activities

    3.3.1

    Plan the transition from your old tool to ensure continual functionality

    3.3.2

    Choose a cut-over approach that works for you

    3.3.3

    Deploy the solution and any new processes simultaneously to ease the transition

    3.3.4

    Have a post-deployment support plan in place

    3.3.5

    Monitor success metrics defined in Phase 1

    This step involves the following participants:

    • IT Director
    • Project Manager
    • Service Desk Manager

    Outcomes of this step

    Deployment plan, including a plan for cut-over from the old tool (if applicable), release of the new tool, and post-deployment support and maintenance of the tool.

    3.3.1 Plan the transition from your old tool to ensure continual functionality

    If you will have a transitional period during which the current tool will be used alongside the new tool, develop a clear plan for the transition to ensure continued service for your end users.

    • If there will be an interim period during which only some aspects of the new ITSM tool are functional, you will need to determine how the new system and old systems will work together for that period of time. This may require creating interfaces as well as providing user documentation and/or SOPs on how the business processes will operate during the interim period.
    • Cut-over is the period during which the changeover to the new system occurs. Cut-over activities need to be tightly choreographed for a successful deployment. If improperly planned, chaos may erupt when unforeseen issues are encountered during deployment, the deployment may be jeopardized, and the organization may encounter costly interruptions to its daily operations.
    • Many organizations may leave any open tickets in the old tool until they are closed, which requires that tool run alongside the new tool for a transitional period. In this case, it is necessary to create guidelines around how long the open tickets will remain in the old system and ensure there is clear communication around these processes.

    Be prepared for the transition:

    1. Create a robust cut-over plan that includes when the old tool will be decommissioned, what activities are necessary during the cut-over, and what the contingency plan is in case of unforeseen issues.
    2. Plan for and perform mock cut-overs to establish the timeline and dependencies for all steps that need to be performed to successfully complete the changeover. Do this to avoid any surprises or delays during the true cut-over period.
    3. Establish cut-over logistics: Create a schedule for resources to work in shifts to avoid burn-out during cut-over, which can lead to lapses in judgment and easily avoidable mistakes. Allocate dedicated workspaces for cut-over activities, e.g. “war rooms” for the triage of issues.

    3.3.2 Choose a cut-over approach that works for you

    Approaches and insights from three case studies

    Case Study #1

    Case Study #2

    Case Study #3

    On day one we started recording all new incidents in the new tool, and everything that was open in the old tool remained open for about one month. At that point we transferred over some open incidents but closed old incidents with the view that if anyone really wanted something done that hadn’t been yet, they could re-submit a ticket.

    – Brett Andrews,

    Managing Director at BAPTISM Consultancy

    It made sense for us to start fresh with the new system. We left all of the old tickets in the old system and started the new system with ticket #1. We only had about a dozen open tickets in the old system so we left them there and ran the two tools side by side until those were closed.

    – CIO, Publishing

    It depends on the client and the size of their service desk as well as the complexity of their data and whether they need their old data for reporting. If there are only a dozen open tickets, they can manually move those over easily, and decide whether they want to migrate their historical data for reporting purposes.

    – Scott Walling,

    Co-Founder at Monitor 24-7 Inc.

    3.3.3 Deploy the solution and any new processes simultaneously to ease the transition

    Follow a deployment plan for introducing new processes alongside the new tool to ensure changes to both process and technology are adopted simultaneously.

    If you’re introducing new processes alongside the new tool, it’s important to maintain the link between process and tool. Typically, the processes and tool should be deployed simultaneously unless there is a strong reason not to do so.

    Deployment can be done as a big-bang or phased approach. The decision to employ a phased deployment depends on the number and size of business units the tool will support, as well as the organization’s geography and infrastructure (deployment locations).

    Before deployment, conduct readiness assessments to understand whether:

    The people are ready to accept the new system (have received the proper training and communications and understand how their jobs will change when the switch is flipped).

    The technology is ready (test results are favorable, workarounds and a plan for closure have been identified for any open defects, and the system is performing as expected).

    The data is ready (data for final conversion has been cleansed, and all conversions have been rehearsed).

    The post-deployment support model is ready (infrastructure and technical support is in place, sites are ready, knowledge transfer has been conducted with the support organization, and end users understand procedures for escalation of issues).

    3.3.4 Have a post-deployment support plan in place

    Ensure that strong internal support for the project and tool will continue after deployment.

    The stabilization period after a new software deployment can last between three and nine months, during which there may be continued training needs and fine-tuning of processes. Internal support from project leaders within your organization will be critical to recover from any dip in operational efficiency and deliver the benefits of the tool.

    Consider the following to prepare better for your support plan:

    What are the roles and responsibilities for ongoing tool administration support?

    What level of support will exist to assist service desk staff after deployment?

    How much time will project team resources devote to tackling upcoming issues and assisting with ongoing support?

    Who will be responsible for ongoing training needs and documentation?

    If your organization is spread across multiple locations, what level of support/assistance will be available at each site?

    How will new code releases or system upgrades be managed and communicated?

    Info-Tech Insight:

    Deployment is only the first step in the system lifecycle. Full benefit realization from the tool requires ongoing investment and learning to be sustained. Unless processes and training are updated on an ongoing basis, benefits gained will start to decrease over time. If your service desk efficiency stagnates at the level it was at prior to implementation, the tool has failed to serve its objective.

    Establish ongoing tool maintenance, improvement structures, and processes

    People, processes, and organizations change over time, and your ITSM tool will need to change to meet expectations.

    Develop and execute a plan for the maintenance of the solution and its infrastructure components.

    Include periodic reviews against business needs and operational requirements (e.g. patches, upgrades, and risk and security requirements).

    For maintenance updates, use the change management process and assess how an activity will impact solution design, functionality, and business processes.

    For major changes that result in significant change in current designs, functionality, and/or business processes, follow the development process used for new systems.

    Ensure that maintenance activities are periodically analyzed for abnormal trends indicating underlying quality or performance problems, cost/benefit of major upgrade, or replacement in lieu of maintenance.

    Assign responsibility for ongoing maintenance. Hold regular meetings for the following activities:

    1. Inspect data and reports.
    2. Assess whether you’re meeting SLAs.
    3. Predict any upcoming changes that may impact ticket volume (e.g. a new operating system or security patch).
    4. Create new ticket templates for recurring or upcoming issues.
    5. Create new knowledgebase articles.
    6. Determine whether ticket categories are being used correctly.
    7. Ask team if there are any problems with the tool.

    3.3.5 Monitor success metrics defined in Project Charter

    Revisit your goals for the solution and assess if they are being met by evaluating current metrics. If your goals have not yet been met, re-evaluate how to ensure the tool will deliver value.

    Sample High-Level Goals:

    1. Improved service desk efficiency
    2. Improved end-user satisfaction
    3. Improved self-service options for end users
    4. Improved data and reporting capabilities

    Sample Metric Descriptions

    Baseline Metric

    Goal

    Current Metric

    Increased ticket input through email versus phone

    50% of tickets submitted through phone

    10% of tickets submit through phone

    Reduced ticket volume (through improved self-serve capabilities)

    1,500 tickets per month

    1,200 tickets per month

    Improved first call resolution (through increased efficiency and automation)

    50% FCR

    60% FCR

    Improved ability to meet SLAs (through automated escalations and prioritization)

    5 minutes to log a ticket

    1 minute to log a ticket

    Improved time to produce reports

    3 business days

    1 business day

    Improved end-user satisfaction

    60% satisfied with services

    75% satisfied

    Related Info-Tech Research

    Optimize IT Change Management

    Define change management workflows, key roles, and supporting elements such as request-for-change forms based on best practices.

    Standardize the Service Desk

    Build core elements of service desk operations, including incident management and service request workflows, ticket categorization schemes, and ticket prioritization rules.

    Optimize the Service Desk With a Shift-Left Strategy

    Implement tools such as an improved knowledgebase and self-service portal to enable lower tier support staff and end users to resolve incidents or fulfill service requests.

    Incident and Problem Management

    Develop a critical incident management workflow and create standard operating procedures for problem management.

    IT Service Management Selection Guide

    Identify the best-of-breed solution to make the most of your investment and engage the right stakeholders to define success.

    Analyze Your Service Desk Ticket Data

    Develop a framework to track metrics, clean data, and put your data to use for pre-defined timelines.

    Bibliography

    Adiga, Siddanth. “10 Reasons Why ITSM Implementations Fail.” Could Strategy, 6 May 2015. Web.

    Hastie, Shane, and Stéphane Wojewoda. “Standish Group 2015 Chaos Report.” InfoQ, 4 October 2015. Web.

    “How to Manage Change in the Implementation of an ITSM Software.” C2, 20 April 2015. Web.

    Lockwood, Meghan. “First Look: Annual ServiceNow Insight and Vision Executive Summary [eBook].” Acorio, 31 October 2019. Web.

    Mainville, David. “7 Steps to a Successful ITSM Tool Implementation.” Navvia, 2012. Web.

    Rae, Barclay. “Preparing for ITSM Tool Implementation.” Joe the IT Guy, 24 June 2015. Web.

    Rae, Barclay. “Successful ITSM Tool Implementation.” BrightTALK, 9 May 2013. Webcast.

    Rumburg, Jeffrey. “Metric of the Month: Agent Training Hours.” MetricNet, 2012. Web.

    Make the Case for Product Delivery

    • Buy Link or Shortcode: {j2store}184|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $41,674 Average $ Saved
    • member rating average days saved: 13 Average Days Saved
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Organizations are traditionally organized to deliver initiatives in specific periods of time. This is in contention with product-centric delivery practices. This form of delivery acknowledges the reality that solutions of all shapes and sizes deliver continual and evolving business value over their lifetime.
    • Delivering multiple products together creates additional challenges because each product has its own pedigree, history, and goals.
    • Product owners struggle to prioritize changes to deliver product value. This creates a gap and conflict between product and enterprise goals.

    Our Advice

    Critical Insight

    • Delivering products doesn’t mean you will stop delivering projects! Product-centric delivery is intended to address the misalignment between the long-term delivery of value that organizations demand and the nature of traditional project-focused environments.

    Impact and Result

    • We will help you build a proposal deck to make the case to your stakeholders for product-centric delivery.
    • You will build this proposal deck by answering key questions about product-centric delivery so you can identify:
      • A common definition of product.
      • How this form of delivery differs from traditional project-centric approaches.
      • Key challenges and benefits.
      • The capabilities needed to effectively own products and deliver value.
      • What you are asking of stakeholders.
      • A roadmap of how to get started.

    Make the Case for Product Delivery Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make the Case for Product Delivery Deck – A guide to help align your organization on the practices to deliver what matters most.

    This project will help you define “product” for your organization, define your drivers and goals for moving to product delivery, understand the role of product ownership, lay out the case to your stakeholders, and communicate what comes next for your transition to product.

    • Make the Case for Product Delivery Storyboard

    2. Make the Case for Product Delivery Presentation Template – A template to help you capture and detail your case for product delivery.

    Build a proposal deck to help make the case to your stakeholders for product-centric delivery.

    • Make the Case for Product Delivery Presentation Template

    3. Make the Case for Product Delivery Workbook – A tool to capture the results of exercises to build your case to change your product delivery method.

    This workbook is designed to capture the results of the exercises in the Make the Case for Product Delivery Storyboard. Each worksheet corresponds to an exercise in the storyboard. The workbook is also a living artifact that should be updated periodically as the needs of your team and organization change.

    • Make the Case for Product Delivery Workbook
    [infographic]

    Further reading

    Make the Case for Product Delivery

    Align your organization on the practices to deliver what matters most.

    Table of Contents

    Define product

    Define your drivers and goals

    Understand the role of product ownership

    Communicate what comes next

    Make the case to your stakeholders

    Appendix: Additional research

    Appendix: Product delivery strategy communication

    Appendix: Manage stakeholder influence

    Appendix: Product owner capability details

    Executive Summary

    Your Challenge
    • Products are the lifeblood of an organization. They deliver the capabilities needed to deliver value to customers, internal users, and stakeholders.
    • Organizations are under pressure to align the value they provide with the organization’s goals and overall company vision.
    • You need to clearly convey the direction and strategy of your product portfolio to gain alignment, support, and funding from your organization.
    Common Obstacles
    • IT organizations are traditionally organized to deliver initiatives in specific periods of time. This is in contention with product-centric delivery.
    • Product delivery acknowledges the reality that solutions of all shapes and sizes deliver continual and evolving business value over their lifetime.
    • Delivering multiple products together creates additional challenges because each product has its own pedigree, history, and goals.
    • Product owners struggle to prioritize changes to deliver product value. This creates a gap and conflict between product and enterprise goals.
    Info-Tech’s Approach
    • Info-Tech will enable you to build a proposal deck to make the case to your stakeholders for product-centric delivery.
    • You will build this proposal deck by answering key questions about product-centric delivery so you can identify:
      • A common definition of product.
      • How this form of delivery differs from traditional project-centric approaches.
      • Key challenges and benefits.
      • The capabilities needed to effectively own products and deliver value.
      • What you are asking of stakeholders.
      • A roadmap of how to get started.

    Info-Tech Insight

    Delivering products doesn’t mean you will stop delivering projects! Product-centric delivery is intended to address the misalignment between the long-term delivery of value that organizations demand and the nature of traditional project-focused environments.

    Many executives perceive IT as being poorly aligned with business objectives

    Info-Tech’s CIO Business Vision Survey data highlights the importance of IT initiatives in supporting the business in achieving its strategic goals.

    However, Info-Tech’s CEO-CIO Alignment Survey (2021; N=58) data indicates that CEOs perceive IT to be poorly aligned to business’ strategic goals.

    Info-Tech CEO-CIO Alignment Diagnostics, 2021 (N=58)

    40% Of CEOs believe that business goals are going unsupported by IT.

    34% Of business stakeholders are supporters of their IT departments (n=334).

    40% Of CIOs/CEOs are misaligned on the target role for IT.

    Info-Tech Insight

    Great technical solutions are not the primary driver of IT success. Focusing on delivery of digital products that align with organizational goals will produce improved outcomes and will foster an improved relationship between business and IT.

    Increase product success by involving IT, business, and customers in your product roadmaps, planning, and delivery

    Product management and delivery seek to promote improved relationships among IT, business, and customers, a critical driver for business satisfaction.

    IT

    Stock image of an IT professional.

    1

    Collaboration

    IT, business, and customers work together through all stages of the product lifecycle, from market research through the roadmapping and delivery processes and into maintenance and retirement. The goal is to ensure the risks and dependencies are realized before work is committed.

    Stakeholders, Customers, and Business

    Stock image of a business professional.

    2

    Communication

    Prioritize high-value modes of communication to break down existing silos and create common understanding and alignment across functions. This approach increases transparency and visibility across the entire product lifecycle.

    3

    Integration

    Explore methods to integrate the workflows, decision making, and toolsets among the business, IT, and customers. The goal is to become more reactive to changes in business and customer expectations and more proactive about market trends.

    Product does not mean the same thing to everyone

    Do not expect a universal definition of products.
    Every organization and industry has a different definition of what a product is. Organizations structure their people, processes, and technologies according to their definition of the products they manage. Conflicting product definitions between teams increase confusion and misalignment of product roadmaps.

    “A product [is] something (physical or not) that is created through a process and that provides benefits to a market.” (Mike Cohn, Founding Member of Agile Alliance and Scrum Alliance) “A product is something ... that is created and then made available to customers, usually with a distinct name or order number.” (TechTarget) “A product is the physical object ... , software or service from which customer gets direct utility plus a number of other factors, services, and perceptions that make the product useful, desirable [and] convenient.” (Mark Curphey)

    Organizations need a common understanding of what a product is and how it pertains to the business.

    This understanding needs to be accepted across the organization.

    “There is not a lot of guidance in the industry on how to define [products]. This is dangerous because what will happen is that product backlogs will be formed in too many areas. All that does is create dependencies and coordination across teams … and backlogs.” (Chad Beier, “How Do You Define a Product?” Scrum.org)

    Products enable the long-term and continuous delivery of value

    Diagram laying out the lifecycles and roadmaps contributing to the 'Continuous delivery of value'. Beginning with 'Project Lifecycle' in which Projects with features and services end in a Product Release that is disconnected from the continuum. Then the 'Hybrid Lifecycle' and 'Product Lifecycle' which are connected by a 'Product Roadmap' and 'Product Backlog' have Product Releases that connect to the continuum.

    Phase 1

    Build the case for product-centric delivery

    Phase 1
    1.1 Define product
    1.2 Define your drivers and goals
    1.3 Understand the role of product ownership
    1.4 Communicate what comes next
    1.5 Make the case to your stakeholders

    This phase will walk you through the following activities:

    • Define product in your context.
    • Define your drivers and goals for moving to product delivery.
    • Understand the role of product ownership.
    • Communicate what comes next for your transition to product.
    • Lay out the case to your stakeholders.

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Step 1.1

    Define product

    Activities
    • 1.1.1 Define “product” in your context
    • 1.1.2 Consider examples of what is (and is not) a product in your organization
    • 1.1.3 Identify the differences between project and product delivery

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Outcomes of this step

    • A clear definition of product in your organization’s context.

    Make the Case for Product Delivery

    Step 1.1 Step 1.2 Step 1.3 Step 1.4 Step 1.5

    Exercise 1.1.1 Define “product” in your context

    30-60 minutes

    Output: Your enterprise/organizational definition of products and services

    Participants: Product owners, Product managers, Development team leads, Portfolio managers, Business analysts

    1. Discuss what “product” means in your organization.
    2. Create a common, enterprise-wide definition for “product.”
    “A product [is] something (physical or not) that is created through a process and that provides benefits to a market.” (Mike Cohn, Founding Member of Agile Alliance and Scrum Alliance) “A product is something ... that is created and then made available to customers, usually with a distinct name or order number.” (TechTarget) “A product is the physical object ... , software or service from which customer gets direct utility plus a number of other factors, services, and perceptions that make the product useful, desirable [and] convenient.” (Mark Curphey)

    Record the results in the Make the Case for Product-Centric Delivery Workbook.

    Example: What is a product?

    Not all organizations will define products in the same way. Take this as a general example:

    “A tangible solution, tool, or service (physical or digital) that enables the long-term and evolving delivery of value to customers and stakeholders based on business and user requirements.”

    Info-Tech Insight

    A proper definition of product recognizes three key facts:

    1. Products are long-term endeavors that don’t end after the project finishes.
    2. Products are not just “apps” but can be software or services that drive the delivery of value.
    3. There is more than one stakeholder group that derives value from the product or service.
    Stock image of an open human head with gears and a city for a brain.

    How do we know what is a product?

    What isn’t a product:
    • Features (on their own)
    • Transactions
    • Unstructured data
    • One-time solutions
    • Non-repeatable processes
    • Solutions that have no users or consumers
    • People or teams
    You have a product if the given item...
    • Has end users or consumers
    • Delivers quantifiable value
    • Evolves or changes over time
    • Has predictable delivery
    • Has definable boundaries
    • Has a cost to produce and operate

    Exercise 1.1.2 Consider examples of what is (and is not) a product in your organization

    15 minutes

    Output: Examples of what is and isn’t a product in your specific context.

    Participants: Product owners, Product managers, Development team leads, Portfolio managers, Business analysts

    1. Leverage the definition you created in exercise 1.1.1 and the explanation on the slide What is a product?
    2. Pick examples that effectively show the difference between products and non-products and facilitate a conversation on the ones that seem to be on the line. Specific server instances, or instances of providing a service, are worthwhile examples to consider.
    3. From the list you come up with, take the top three examples and put them into the Make the Case for Product Delivery Presentation Template.
    Example:
    What isn’t a product?
    • Month-end SQL scripts to close the books
    • Support Engineer doing a password reset
    • Latest research project in R&D
    What is a product?
    • Self-service password reset portal
    • Oracle ERP installation
    • Microsoft Office 365

    Record the results in the Make the Case for Product Delivery Workbook.

    Product delivery practices should consider everything required to support it, not just what users see.

    Cross-section of an iceberg above and below water with visible product delivery practices like 'Funding', 'External Relationships', and 'Stakeholder Management' above water and internal product delivery practices like 'Product Governance', 'Business Functionality', and 'R&D' under water. There are far more processes below the water.

    Products and services share the same foundation and best practices

    For the purpose of this blueprint, product/service and product owner/service owner are used interchangeably. Product is used for consistency but would apply to services as well.

    Product = Service

    “Product” and “service” are terms that each organization needs to define to fit its culture and customers (internal and external). The most important aspect is consistent use and understanding of:
    • External products
    • Internal products
    • External services
    • Internal services
    • Products as a service (PaaS)
    • Productizing services (SaaS)

    Exercise 1.1.3 Identify the differences between project and product delivery

    30-60 minutes

    Output: List of differences between project and product delivery

    Participants: Product owners, Product managers, Development team leads, Portfolio managers, Business analysts

    1. Consider project delivery and product delivery.
    2. Discuss what some differences are between the two.
      Note: This exercise is not about identifying the advantages and disadvantages of each style of delivery. This is to identify the variation between the two.
    Theme Project Delivery (Current) Product Delivery (Future)
    Timing Defined start and end Does not end until the product is no longer needed
    Funding Funding projects Funding products and teams
    Prioritization LoB sponsors Product owner
    Capacity Management Project management Managed by product team

    Record the results in the Make the Case for Product Delivery Workbook.

    Identify the differences between a project-centric and a product-centric organization

    Project Product
    Fund projects — Funding –› Fund products or teams
    Line of business sponsor — Prioritization –› Product owner
    Makes specific changes to a product —Product management –› Improves product maturity and support
    Assignment of people to work — Work allocation –› Assignment of work to product teams
    Project manager manages — Capacity management –› Team manages capacity

    Info-Tech Insights

    • Product ownership should be one of your first areas of focus when transitioning from project to product delivery.
    • Product delivery requires significant shifts in the way you complete development work and deliver value to your users. Make the changes that support improving end-user value and enterprise alignment.

    Projects can be a mechanism for funding product changes and improvements

    Diagram laying out the lifecycles and roadmaps contributing to the 'Continuous delivery of value'. Beginning with 'Project Lifecycle' in which Projects with features and services end in a Product Release that is disconnected from the continuum. Then the 'Hybrid Lifecycle' and 'Product Lifecycle' which are connected by a 'Product Roadmap' and 'Product Backlog' have Product Releases that connect to the continuum. Projects within products

    Regardless of whether you recognize yourself as a product-based or project-based shop, the same basic principles should apply.

    The purpose of projects is to deliver the scope of a product release. The shift to product delivery leverages a product roadmap and backlog as the mechanism for defining and managing the scope of the release.

    Eventually, teams progress to continuous integration/continuous delivery (CI/CD) where they can release on demand or as scheduled, requiring org change management.

    Step 1.2

    Define your drivers and goals

    Activities
    • 1.2.1 Understand your drivers for product-centric delivery
    • 1.2.2 Define the goals for your product-centric organization

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Outcomes of this step

    • A clear understanding of your motivations and desired outcomes for moving to product delivery.

    Make the Case for Product Delivery

    Step 1.1 Step 1.2 Step 1.3 Step 1.4 Step 1.5

    Exercise 1.2.1 Understand your drivers for product-centric delivery

    30-60 minutes

    Output: Organizational drivers to move to product-centric delivery.

    Participants: Product owners, Product managers, Development team leads, Portfolio managers, Business analysts

    1. Identify your pain points in the current delivery model.
    2. What is the root cause of these pain points?
    3. How will a product-centric delivery model fix the root cause (drivers)?
    Pain Points
    • Lack of ownership
    Root Causes
    • Siloed departments
    Drivers
    • Accountability

    Record the results in the Make the Case for Product Delivery Workbook.

    Exercise 1.2.2 Define the goals for your product-centric organization

    30 minutes

    Output: Goals for product-centric delivery

    Participants: Product owners, Product managers, Development team leads, Portfolio managers, Business analysts

    1. Review the differences between project and product delivery from exercise 1.1.3 and the list of drivers from exercise 1.2.1.
    2. Define your goals for achieving a product-centric organization.
      Note: Your drivers may have already covered the goals. If so, review if you would like to change the drivers based on your renewed understanding of the differences between project and product delivery.
    Pain Points
    • Lack of ownership
    Root Causes
    • Siloed departments
    Drivers
    • Accountability
    Goals
    • End-to-end ownership

    Record the results in the Make the Case for Product Delivery Workbook.

    Step 1.3

    Understand the role of product ownership

    Activities
    • 1.3.1 Identify product ownership capabilities

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Outcomes of this step

    • Product owner capabilities that you agree are critical to start your product transformation.

    Make the Case for Product Delivery

    Step 1.1 Step 1.2 Step 1.3 Step 1.4 Step 1.5

    Accountability for the delivery of value through product ownership is not optional

    Tree of 'Enterprise Goals and Priorities' leading to 'Product' through a 'Product Family'.

    Info-Tech Insight

    People treat the assignment of accountability for products (aka product ownership) as optional. Without assigning accountability up front, your transition to product delivery will stall. Accountable individuals will be focused on the core outcome for product delivery, which is the delivery of the right value, at the right time, to the right people.

    Description of the tree levels shown in the diagram on the left. First is 'Enterprise Goals and Priorities', led by 'Executive Leadership' using the 'Enterprise Strategic Roadmap'. Second is 'Product Family', led by 'Product Manager' using the 'Product Family Roadmap'. Last is 'Product', led by the 'Product Owner' using the 'Product Roadmap' and 'Backlog' on the strategic end, and 'Releases' on the Tactical end. In the holistic context, 'Product Family is considered 'Strategic' while 'Product' is 'Tactical'.

    Recognize the different product owner perspectives

    Business
    • Customer facing, revenue generating
    Technical
    • IT systems and tools
    Operations
    • Keep the lights on processes

    Info-Tech Best Practice

    Product owners must translate needs and constraints from their perspective into the language of their audience. Kathy Borneman, Digital Product Owner at SunTrust Bank, noted the challenges of finding a common language between lines of business and IT (e.g. what is a unit?).

    Info-Tech Insight

    Recognize that product owners represent one of three primary perspectives. Although all share the same capabilities, how they approach their responsibilities is influenced by their perspective.

    “A Product Owner in its most beneficial form acts like an Entrepreneur, like a 'mini-CEO'. The Product Owner is someone who really 'owns' the product.” (Robbin Schuurman, “Tips for Starting Product Owners”)

    Implement the Info-Tech product owner capability model

    As discussed in Build a Better Product Owner, most product owners operate with an incomplete knowledge of the skills and capabilities needed to perform the role. Common gaps include focusing only on product backlogs, acting as a proxy for product decisions, and ignoring the need for key performance indicators (KPIs) and analytics in both planning and value realization. 'Product Owner Capabilities': 'Vision', 'Leadership', 'Product Lifecycle Management', 'Value Realization'.
    Vision
    • Market Analysis
    • Business Alignment
    • Product Roadmap
    Leadership
    • Soft Skills
    • Collaboration
    • Decision Making
    Product Lifecycle Management
    • Plan
    • Build
    • Run
    Value Realization
    • KPIs
    • Financial Management
    • Business Model

    Details on product ownership capabilities can be found in the appendix.

    Exercise 1.3.1 Identify product ownership capabilities

    60 minutes

    Output: Product owner capability mapping

    Participants: Product owners, Product managers, Development team leads, Portfolio managers, Business analysts

    1. Write down the capabilities product owners need to perform their duties (one per sticky note) in order to describe product ownership in your organization. Consider people, processes, and tools.
    2. Mark each capability with a plus (current capability), circle (some proficiency), or dash (missing capability).
    3. Discuss each capability and place on the appropriate quadrant.

    'Product Owner Capabilities': 'Vision', 'Leadership', 'Product Lifecycle Management', 'Value Realization'.

    Record the results in the Make the Case for Product Delivery Workbook.

    Differentiate between product owners and product managers

    Product Owner (Tactical Focus)
    • Backlog management and prioritization
    • Epic/story definition, refinement in conjunction with business stakeholders
    • Sprint planning with Scrum Master
    • Working with Scrum Master to minimize disruption to team velocity
    • Ensuring alignment between business and Scrum teams during sprints
    • Profit and loss (P&L) product analysis and monitoring
    Product Manager (Strategic Focus)
    • Product strategy, positioning, and messaging
    • Product vision and product roadmap
    • Competitive analysis and positioning
    • New product innovation/definition
    • Release timing and focus (release themes)
    • Ongoing optimization of product-related marketing and sales activities
    • P&L product analysis and monitoring

    Info-Tech Insight

    “Product owner” and “product manager” are terms that should be adapted to fit your culture and product hierarchy. These are not management relationships but rather a way to structure related products and services that touch the same end users.

    Step 1.4

    Communicate what comes next

    Activities
    • 1.4.1 How do we get started?

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Outcomes of this step

    • A now, next, later roadmap indicating your overall next steps.

    Make the Case for Product Delivery

    Step 1.1 Step 1.2 Step 1.3 Step 1.4 Step 1.5

    Make a plan in order to make a plan!

    Consider some of the techniques you can use to validate your strategy.

    Cyclical diagram of the 'Continuous Delivery of Value' within 'Business Value'. Surrounding attributes are 'User Centric', 'Adaptable', 'Accessible', 'Private & Secured', 'Informative & Insightful', 'Seamless Application Connection', 'Relationship & Network Building', 'Fit for Purpose'.

    Go to your backlog and prioritize the elements that need to be answered sooner rather than later.

    Possible areas of focus:

    • Regulatory requirements or questions to answer around accessibility, security, privacy.
    • Stress testing any new processes against situations that may occur.
    Learning Milestones

    The completion of a set of artifacts dedicated to validating business opportunities and hypotheses.

    Possible areas of focus:

    • Align teams on product strategy prior to build
    • Market research and analysis
    • Dedicated feedback sessions
    • Provide information on feature requirements
    Stock image of people learning.
    Sprint Zero (AKA Project-before-the-project)

    The completion of a set of key planning activities, typically the first sprint.

    Possible areas of focus:

    • Focus on technical verification to enable product development alignment
    • Sign off on architectural questions or concerns
    Stock photo of a person writing on a board of sticky notes.

    The “Now, Next, Later” roadmap

    Use this when deadlines and delivery dates are not strict. This is best suited for brainstorming a product plan when dependency mapping is not required.

    • Now
      What are you going to do now?
    • Next
      What are you going to do very soon?
    • Later
      What are you going to do in the future?
    A priority map laid out as a half rainbow with 'Now' as the inner, 'Next' as the middle, and 'Later' as the outer. Various 'Features', 'Releases', and an 'MVP' are mapped into the sections.
    (Source: “Tips for Agile product roadmaps & product roadmap examples,” Scrum.org, 2017)

    Exercise 1.4.1 How do we get started?

    30-60 minutes

    Output: Product transformation critical steps and basic roadmap

    Participants: Product owners, Product managers, Development team leads, Portfolio managers, Business analysts

    1. Identify what the critical steps are for the organization to embrace product-centric delivery.
    2. Group each critical step by how soon you need to address it:
      • Now: Let’s do this ASAP.
      • Next: Sometime very soon, let’s do these things.
      • Later: Much further off in the distance, let’s consider these things.
    A priority map laid out as a half rainbow with 'Now' as the inner, 'Next' as the middle, and 'Later' as the outer. Various 'Features', 'Releases', and an 'MVP' are mapped into the sections.
    (Source: “Tips for Agile product roadmaps & product roadmap examples,” Scrum.org, 2017)

    Record the results in the Make the Case for Product Delivery Workbook.

    Example

    Example table for listing tasks to complete Now, Next, or Later

    Step 1.5

    Make the case to your stakeholders

    Activities
    • 1.5.1 Identify what support you need from your stakeholders
    • 1.5.2 Build your pitch for product delivery

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Outcomes of this step

    • A deliverable that helps make the case for product delivery.

    Make the Case for Product Delivery

    Step 1.1 Step 1.2 Step 1.3 Step 1.4 Step 1.5

    Develop a stakeholder strategy to define your product owner landscape

    Stakeholder Influence

    Stakeholders are a critical cornerstone to product ownership. They provide the context, alignment, and constraints that influence or control what a product owner is able to accomplish.

    Product teams operate within this network of stakeholders who represent different perspectives within the organization.

    See the appendix for activities and guidance on how to devise a strategy for managing stakeholders.

    Image of four puzzle pieces being put together, labelled 'Product Lifecycle', 'Project Delivery', 'Operational Support', 'and Stakeholder Management'.

    Exercise 1.5.1 Identify what support you need from your stakeholders

    30 minutes

    Output: Clear understanding of stakeholders, what they need from you, and what you need from them.

    Participants: Product owners, Product managers, Development team leads, Portfolio managers, Business analysts

    1. If you don’t yet know who your stakeholders are, consider completing one or more of the stakeholder management exercises in the appendix.
    2. Identify your key stakeholders who have an interest in solution delivery.
    3. Consider their perspective on product-centric delivery. (For example: For head of support, what does solution delivery mean to them?)
    4. Identify what role each stakeholder would play in the transformation.
      • This role represents what you need from them for this transformation to product-centric delivery.
    Stakeholder
    What does solution delivery mean to them?
    What do you need from them in order to be successful?

    Record the results in the Make the Case for Product Delivery Workbook.

    Exercise 1.5.2 Build your pitch deck

    30 minutes (and up)

    Output: A completed presentation to help you make the case for product delivery.

    Participants: Product owners, Product managers, Development team leads, Portfolio managers, Business analysts

    1. Take the results from the Make the Case for Product Delivery Workbook and transfer them into the presentation template.
    2. Follow the instructions on each page listed in the instruction bubbles to know what results to place where.
    3. This is meant to be a template; you are welcome to add and remove slides as needed to suit your audience!

    Sample of slides from the Make the Case for Product Delivery Workbook with instruction bubbles overlaid.

    Record the results in the Make the Case for Product Delivery Workbook.

    Appendix

    Additional research to start your journey

    Related Info-Tech Research

    Product Delivery

    Deliver on Your Digital Product Vision

    • Build a product vision your organization can take from strategy through execution.

    Build a Better Product Owner

    • Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.

    Build Your Agile Acceleration Roadmap

    • Quickly assess the state of your Agile readiness and plan your path forward to higher value realization.

    Implement Agile Practices That Work

    • Improve collaboration and transparency with the business to minimize project failure.

    Implement DevOps Practices That Work

    • Streamline business value delivery through the strategic adoption of DevOps practices.

    Deliver Digital Products at Scale

    • Deliver value at the scale of your organization through defining enterprise product families.

    Extend Agile Practices Beyond IT

    • Further the benefits of Agile by extending a scaled Agile framework to the business.

    Build Your BizDevOps Playbook

    • Embrace a team sport culture built around continuous business-IT collaboration to deliver great products.

    Embed Security Into the DevOps Pipeline

    • Shift security left to get into DevSecOps.

    Spread Best Practices With an Agile Center of Excellence

    • Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Related Info-Tech Research

    Application Portfolio Management

    Application Portfolio Management (APM) Research Center

    • See an overview of the APM journey and how we can support the pieces in this journey.

    Application Portfolio Management for Small Enterprises

    • There is no one-size-fits-all rationalization. Tailor your framework to meet your goals.

    Streamline Application Maintenance

    • Effective maintenance ensures the long-term value of your applications.

    Build an Application Rationalization Framework

    • Manage your application portfolio to minimize risk and maximize value.

    Modernize Your Applications

    • Justify modernizing your application portfolio from both business and technical perspectives.

    Review Your Application Strategy

    • Ensure your applications enable your business strategy.

    Application Portfolio Management Foundations

    • Ensure your application portfolio delivers the best possible return on investment.

    Streamline Application Management

    • Move beyond maintenance to ensuring exceptional value from your apps.

    Optimize Applications Release Management

    • Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Embrace Business-Managed Applications

    • Empower the business to implement their own applications with a trusted business-IT relationship.

    Related Info-Tech Research

    Value, Delivery Metrics, Estimation

    Build a Value Measurement Framework

    • Focus product delivery on business value–driven outcomes.

    Select and Use SDLC Metrics Effectively

    • Be careful what you ask for, because you will probably get it.

    Application Portfolio Assessment: End User Feedback

    • Develop data-driven insights to help you decide which applications to retire, upgrade, re-train on, or maintain to meet the demands of the business.

    Create a Holistic IT Dashboard

    • Mature your IT department by measuring what matters.

    Refine Your Estimation Practices With Top-Down Allocations

    • Don’t let bad estimates ruin good work.

    Estimate Software Delivery With Confidence

    • Commit to achievable software releases by grounding realistic expectations

    Reduce Time to Consensus With an Accelerated Business Case

    • Expand on the financial model to give your initiative momentum.

    Optimize IT Project Intake, Approval, and Prioritization

    • Deliver more projects by giving yourself the voice to say “no” or “not yet” to new projects.

    Enhance PPM Dashboards and Reports

    • Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Related Info-Tech Research

    Org Design and Performance

    Redesign Your IT Organizational Structure

    • Focus product delivery on business value–driven outcomes.

    Build a Strategic IT Workforce Plan

    • Have the right people, in the right place, at the right time.

    Implement a New IT Organizational Structure

    • Reorganizations are inherently disruptive. Implement your new structure with minimal pain for staff while maintaining IT performance throughout the change.

    Build an IT Employee Engagement Program

    • Measure employee sentiment to drive IT performance

    Set Meaningful Employee Performance Measures

    • Set holistic measures to inspire employee performance.

    Master Organizational Change Management Practices

    • PMOs, if you don't know who is responsible for org change, it's you.

    Appendix

    Product delivery strategy communication

    Product roadmaps guide delivery and communicate your strategy

    In Deliver on Your Digital Product Vision, we demonstrate how the product roadmap is core to value realization. The product roadmap is your communicated path, and as a product owner, you use it to align teams and changes to your defined goals while aligning your product to enterprise goals and strategy.

    Diagram on how to get from product owner capabilities to 'Business Value Realization' through 'Product Roadmap' with a 'Tiered Backlog', 'Delivery Capacity and Throughput' via a 'Product Delivery Pipeline'.
    (Adapted from: Pichler, “What Is Product Management?”)

    Info-Tech Insight

    The quality of your product backlog – and your ability to realize business value from your delivery pipeline – is directly related to the input, content, and prioritization of items in your product roadmap.

    Define product value by aligning backlog delivery with roadmap goals

    In each product plan, the backlogs show what you will deliver.
    Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

    Two-part diagram showing the 'Product Backlog' segmented into '1. Current: Features/ Stories', '2. Near-term: Capabilities', and '3. Future: Epics', and then the 'Product Roadmap' with the same segments placed into a timeline.

    Multiple roadmap views can communicate differently, yet tell the same truth

    Product managers and product owners have many responsibilities, and a roadmap can be a useful tool to complete those objectives through communication or organization of tasks.

    However, not all roadmaps address the correct audience and achieve those objectives. Care must be taken to align the view to the given audience.

    Pie Chart showing the surveyed most important reason for using a product roadmap. From largest to smallest are 'Communicate a strategy', 'Plan and prioritize', 'Communicate milestones and releases', 'Get consensus on product direction', and 'Manage product backlog'.
    Surveyed most important reason for using a product roadmap (Source: ProductPlan, 2018)

    Audience
    Business/ IT leaders Users/Customers Delivery teams
    Roadmap View
    Portfolio Product Technology
    Objectives
    To provide a snapshot of the portfolio and priority apps To visualize and validate product strategy To coordinate and manage teams and show dev. progress
    Artifacts
    Line items or sections of the roadmap are made up of individual apps, and an artifact represents a disposition at its highest level. Artifacts are generally grouped by various product teams and consist of strategic goals and the features that realize those goals. Artifacts are grouped by the teams who deliver that work and consist of features and technical enablers that support those features.

    Appendix

    Managing stakeholder influence

    From Build a Better Product Owner

    Step 1.3 (from Build a Better Product Owner)

    Manage Stakeholder Influence

    Activities
    • 1.3.1 Visualize interrelationships to identify key influencers
    • 1.3.2 Group your product owners into categories
    • 1.3.3 Prioritize your stakeholders
    • 1.3.4 Delegation Poker: Reach better decisions

    This step will walk you through the following activities:

    To be successful, product owners need to identify and manage all stakeholders for their products. This step will build a stakeholder map and strategy.

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Delivery managers
    • Business analysts

    Outcomes of this step

    • Relationships among stakeholders and influencers
    • Categorization of stakeholders and influencers
    • Stakeholder and influencer prioritization
    • Better understanding of decision-making approaches and delegation
    Product Owner Foundations
    Step 1.1 Step 1.2 Step 1.3

    Develop a product owner stakeholder strategy

    Stakeholder Influence

    Stakeholders are a critical cornerstone to product ownership. They provide the context, alignment, and constraints that influence or control what a product owner is able to accomplish.

    Product owners operate within this network of stakeholders who represent different perspectives within the organization.

    First, product owners must identify members of their stakeholder network. Next, they should devise a strategy for managing stakeholders.

    Without accomplishing these missing pieces, product owners will encounter obstacles, resistance, or unexpected changes.

    Image of four puzzle pieces being put together, labelled 'Product Lifecycle', 'Project Delivery', 'Operational Support', 'and Stakeholder Management'.

    Create a stakeholder network map to product roadmaps and prioritization

    Follow the trail of breadcrumbs from your direct stakeholders to their influencers to uncover hidden stakeholders.

    Legend
    Black arrow with a solid line and single direction. Black arrows indicate the direction of professional influence
    Green arrow with a dashed line and bi-directional. Dashed green arrows indicate bidirectional, informal influence relationships

    Info-Tech Insight

    Your stakeholder map defines the influence landscape your product operates in. It is every bit as important as the teams who enhance, support, and operate your product directly.

    Use “connectors” to determine who may be influencing your direct stakeholders. They may not have any formal authority within the organization, but they may have informal yet substantive relationships with your stakeholders.

    1.3.1 Visualize interrelationships to identify key influencers

    60 minutes

    Input: List of product stakeholders

    Output: Relationships among stakeholders and influencers

    Materials: Whiteboard/flip charts, Markers, Build a Better Product Owner Workbook

    Participants: Product owners, Product managers, Development team leads, Portfolio managers, Business analysts

    1. List direct stakeholders for your product.
    2. Determine the stakeholders of your stakeholders and consider adding each of them to the stakeholder list.
    3. Assess who has either formal or informal influence over your stakeholders; add these influencers to your stakeholder list.
    4. Construct a diagram linking stakeholders and their influencers together.
      1. Use black arrows to indicate the direction of professional influence.
      2. Use dashed green arrows to indicate bidirectional, informal influence relationships.
    5. Record the results in the Build a Better Product Owner Workbook.

    Record the results in the Build a Better Product Owner Workbook.

    Categorize your stakeholders with a prioritization map

    A stakeholder prioritization map helps product owners categorize their stakeholders by their level or influence and ownership in the product and/or teams.

    Stakeholder prioritization map split into four quadrants along two axes, 'Influence', and 'Ownership/Interest': 'Players' (high influence, high interest); 'Mediators' (high influence, low interest); 'Noisemakers' (low influence, high interest); 'Spectators' (low influence, low interest). Source: Info-Tech Research Group

    There are four areas in the map, and the stakeholders within each area should be treated differently.
    • Players – players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.
    • Mediators – mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.
    • Noisemakers – noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.
    • Spectators – generally, spectators are apathetic and have little influence over or interest in the initiative.

    1.3.2 Group your product owners into categories

    30 minutes

    Input: Stakeholder map

    Output: Categorization of stakeholders and influencers

    Materials: Whiteboard/flip charts, Markers, Build a Better Product Owner Workbook

    Participants: Product owners, Product managers, Development team leads, Portfolio managers, Business analysts

    1. Identify your stakeholder’s interest in and influence on your Agile implementation as high, medium, or low by rating the attributes below.
    2. Map your results to the model below to determine each stakeholder’s category.
    3. Record the results in the Build a Better Product Owner Workbook.
    Same stakeholder prioritization map as before but with example positions mapped onto it.
    Level of Influence
    • Power: Ability of a stakeholder to effect change.
    • Urgency: Degree of immediacy demanded.
    • Legitimacy: Perceived validity of stakeholder’s claim.
    • Volume: How loud their “voice” is or could become.
    • Contribution: What they have that is of value to you.
    Level of Interest

    How much are the stakeholder’s individual performance and goals directly tied to the success or failure of the product?

    Record the results in the Build a Better Product Owner Workbook.

    Prioritize your stakeholders

    There may be too many stakeholders to be able to manage them all. Focus your attention on the stakeholders that matter most.

    Stakeholder prioritization table with 'Stakeholder Category' as row headers ('Player', 'Mediator', 'Noisemaker', 'Spectator') and 'Level of Support' as column headers ('Supporter', 'Evangelist', 'Neutral', 'Blocker'). Importance ratings are 'Critical', 'High', 'Medium', 'Low', and 'Irrelevant'.

    Consider the three dimensions for stakeholder prioritization: influence, interest, and support. Support can be determined by rating the following question: how likely is it that your stakeholder would recommend your product? These parameters are used to prioritize which stakeholders are most important and should receive the focus of your attention. The table to the right indicates how stakeholders are ranked.

    1.3.3 Prioritize your stakeholders

    30 minutes

    Input: Stakeholder matrix, Stakeholder prioritization

    Output: Stakeholder and influencer prioritization

    Materials: Whiteboard/flip charts, Markers, Build a Better Product Owner Workbook

    Participants: Product owners, Product managers, Development team leads, Portfolio managers, Business analysts

    1. Identify the level of support of each stakeholder by answering the following question: how likely is it that your stakeholder would endorse your product?
    2. Prioritize your stakeholders using the prioritization scheme on the previous slide.
    3. Record the results in the Build a Better Product Owner Workbook.
    Stakeholder Category Level of Support Prioritization
    CMO Spectator Neutral Irrelevant
    CIO Player Supporter Critical

    Record the results in the Build a Better Product Owner Workbook.

    Define strategies for engaging stakeholders by type

    Stakeholder strategy map assigning stakeholder strategies to stakeholder categories, as described in the adjacent table.

    Info-Tech Insight

    Each group of stakeholders draws attention and resources away from critical tasks. By properly identifying your stakeholder groups, the product owner can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers, while ensuring the needs of the Mediators and Players are met.

    Type Quadrant Actions
    Players High influence; high interest – actively engage Keep them updated on the progress of the project. Continuously involve Players in the process and maintain their engagement and interest by demonstrating their value to its success.
    Mediators High influence; low interest – keep satisfied They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust and including them in important decision-making steps. In turn, they can help you influence other stakeholders.
    Noisemakers Low influence; high interest – keep informed Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them.
    Spectators Low influence; low interest – monitor They are followers. Keep them in the loop by providing clarity on objectives and status updates.

    Appendix

    Product owner capability details

    From Build a Better Product Owner

    Develop product owner capabilities

    Capability 'Vision' with sub-capabilities 'Market Analysis, 'Business Alignment', and 'Product Roadmap'.

    Each capability has three components needed for successful product ownership.

    Definitions are on the following slides.

    Central diagram title 'Product Owner Capabilities'.

    Define the skills and activities in each component that are directly related to your product and culture.

    Capability 'Leadership' with sub-capabilities 'Soft Skills', 'Collaboration', and 'Decision Making'.
    Capability 'Product Lifecycle Management' with sub- capabilities 'Plan', 'Build', and 'Run'. Capability 'Value Realization' with sub-capabilities 'KPIs', 'Financial Management', and 'Business Model'.

    Capabilities: Vision

    Market Analysis

    • Unique solution: Identify the target users and unique value your product provides that is not currently being met.
    • Market size: Define the size of your user base, segmentation, and potential growth.
    • Competitive analysis: Determine alternative solutions, products, or threats that affect adoption, usage, and retention.

    Business Alignment

    • SWOT analysis: Complete a SWOT analysis for your end-to-end product lifecycle. Use Info-Tech’s Business SWOT Analysis Template.
    • Enterprise alignment: Align product to enterprise goals, strategies, and constraints.
    • Delivery strategy: Develop a delivery strategy to achieve value quickly and adapt to internal and external changes.

    Product Roadmap

    • Roadmap strategy: Determine the duration, detail, and structure of your roadmap to accurately communicate your vision.
    • Value prioritization: Define criteria used to evaluate and sequence demand.
    • Go to market strategy: Create organizational change management, communications, and a user implementation approach.

    Info-Tech Insight

    Data comes from many places and may still not tell the complete story.

    Capability 'Vision' with sub-capabilities 'Market Analysis, 'Business Alignment', and 'Product Roadmap'.

    “Customers are best heard through many ears.” (Thomas K. Connellan, Inside the Magic Kingdom)

    Capabilities: Leadership

    Soft Skills

    • Communication: Maintain consistent, concise, and appropriate communication using SMART guidelines (specific, measurable, attainable, relevant, and timely).
    • Integrity: Stick to your values, principles, and decision criteria for the product to build and maintain trust with your users and teams.
    • Influence: Manage stakeholders using influence and collaboration over contract negotiation.

    Collaboration

    • Stakeholder management: Build a communications strategy for each stakeholder group, tailored to individual stakeholders.
    • Relationship management: Use every interaction point to strengthen relationships, build trust, and empower teams.
    • Team development: Promote development through stretch goals and controlled risks to build team capabilities and performance.

    Decision Making

    • Prioritized criteria: Remove personal bias by basing decisions off data analysis and criteria.
    • Continuous improvement: Balance new features with the need to ensure quality and create an environment of continuous improvement.
    • Team empowerment/negotiation: Push decisions to teams closest to the problem and solution, using Delegation Poker to guide you.

    Info-Tech Insight

    Product owners cannot be just a proxy for stakeholder decisions. The product owner owns product decisions and management of all stakeholders.

    Capability 'Leadership' with sub-capabilities 'Soft Skills', 'Collaboration', and 'Decision Making'.

    “Everything walks the walk. Everything talks the talk.” (Thomas K. Connellan, Inside the Magic Kingdom)

    Capabilities: Product lifecycle management

    Plan

    • Product backlog: Follow a schedule for backlog intake, refinement, updates, and prioritization.
    • Journey map: Create an end-user journey map to guide adoption and loyalty.
    • Fit for purpose: Define expected value and intended use to ensure the product meets your end user’s needs.

    Build

    • Capacity management: Work with operations and delivery teams to ensure consistent and stable outcomes.
    • Release strategy: Build learning, release, and critical milestones into a repeatable release plan.
    • Compliance: Build policy compliance into delivery practices to ensure alignment and reduce avoidable risk (privacy, security).

    Run

    • Adoption: Focus attention on end-user adoption and proficiency to accelerate value and maximize retention.
    • Support: Build operational support and business continuity into every team.
    • Measure: Measure KPIs and validate expected value to ensure product alignment to goals and consistent product quality.

    Info-Tech Insight

    Product owners must actively manage the full lifecycle of the product.

    Capability 'Product Lifecycle Management' with sub- capabilities 'Plan', 'Build', and 'Run'.

    “Pay fantastic attention to detail. Reward, recognize, celebrate.” (Thomas K. Connellan, Inside the Magic Kingdom)

    Capabilities: Value realization

    Key Performance Indicators (KPIs)

    • Usability and user satisfaction: Assess satisfaction through usage monitoring and end-user feedback.
    • Value validation: Directly measure performance against defined value proposition, goals, and predicted ROI.
    • Fit for purpose: Verify the product addresses the intended purpose better than other options.

    Financial Management

    • P&L: Manage each product as if it were its own business with profit and loss statements.
    • Acquisition cost/market growth: Define the cost of acquiring a new consumer, onboarding internal users, and increasing product usage.
    • User retention/market share: Verify product usage continues after adoption and solution reaches new user groups to increase value.

    Business Model

    • Defines value proposition: Dedicate your primary focus to understanding and defining the value your product will deliver.
    • Market strategy and goals: Define your acquisition, adoption, and retention plan for users.
    • Financial model: Build an end-to-end financial model and plan for the product and all related operational support.

    Info-Tech Insight

    Most organizations stop with on-time and on-budget. True financial alignment needs to define and manage the full lifecycle P&L.

    Capability 'Value Realization' with sub-capabilities 'KPIs', 'Financial Management', and 'Business Model'.

    “The competition is anyone the customer compares you with.” (Thomas K. Connellan, Inside the Magic Kingdom)

    Avoid common capability gaps

    Vision

    • Focusing solely on backlog refining (tactical only)
    • Ignoring or failing to align product roadmap to enterprise goals
    • Operational support and execution
    • Basing decisions on opinion rather than market data
    • Ignoring or missing internal and external threats to your product

    Leadership

    • Failing to include feedback from all teams who interact with your product
    • Using a command-and-control approach
    • Viewing product owner as only a delivery role
    • Acting as a proxy for stakeholder decisions
    • Avoiding tough strategic decisions in favor of easier tactical choices

    Product Lifecycle Management

    • Focusing on delivery and not the full product lifecycle
    • Ignoring support, operations, and technical debt
    • Failing to build knowledge management into the lifecycle
    • Underestimating delivery capacity, capabilities, or commitment
    • Assuming delivery stops at implementation

    Value Realization

    • Focusing exclusively on “on time/on budget” metrics
    • Failing to measure a 360-degree end-user view of the product
    • Skipping business plans and financial models
    • Limiting financial management to project/change budgets
    • Ignoring market analysis for growth, penetration, and threats

    Bibliography – Product Ownership

    A, Karen. “20 Mental Models for Product Managers.” Medium, Product Management Insider, 2 Aug. 2018. Web.

    Adams, Paul. “Product Teams: How to Build & Structure Product Teams for Growth.” Inside Intercom, 30 Oct. 2019. Web.

    Agile Alliance. “Product Owner.” Agile Alliance, n.d. Web.

    Banfield, Richard, et al. “On-Demand Webinar: Strategies for Scaling Your (Growing) Enterprise Product Team.” Pluralsight, 31 Jan. 2018. Web.

    Blueprint. “10 Ways Requirements Can Sabotage Your Projects Right From the Start.” Blueprint, 2012. Web.

    Breddels, Dajo, and Paul Kuijten. “Product Owner Value Game.” Agile2015 Conference, 2015. Web.

    Cagan, Martin. “Behind Every Great Product.” Silicon Valley Product Group, 2005. Web.

    Cohn, Mike “What is a product?” Mountain Goat Software, 16 Sept. 2016, Web

    Connellan, Thomas K. Inside the Magic Kingdom. Bard Press, 1997. Print.

    Curphey, Mark, “Product Definition.” slideshare.net, 25 Feb. 2007. Web

    Eringa, Ron. “Evolution of the Product Owner.” RonEringa.com, 12 June 2016. Web.

    Fernandes, Thaisa. “Spotify Squad Framework - Part I.” Medium.com, 6 March 2017. Web.

    Galen, Robert. “Measuring Product Ownership – What Does ‘Good’ Look Like?” RGalen Consulting, 5 Aug. 2015. Web.

    Halisky, Merland, and Luke Lackrone. “The Product Owner’s Universe.” Agile Alliance, Agile2016, 2016. Web.

    Kamer, Jurriaan. “How to Build Your Own ‘Spotify Model’.” Medium.com, 9 Feb. 2018. Web.

    Kendis Team. “Exploring Key Elements of Spotify’s Agile Scaling Model.” Medium.com, 23 July 2018. Web.

    Lindstrom, Lowell. “7 Skills You Need to Be a Great Product Owner.” Scrum Alliance, n.d. Web.

    Lukassen, Chris. “The Five Belts Of The Product Owner.” Xebia.com, 20 Sept. 2016. Web.

    Management 3.0. “Delegation Poker Product Image.” Management 3.0, n.d. Web.

    McCloskey, Heather. “Scaling Product Management: Secrets to Defeating Common Challenges.” ProductPlan, 12 July 2019. Web.

    Bibliography – Product Ownership

    McCloskey, Heather. “When and How to Scale Your Product Team.” UserVoice, 21 Feb. 2017. Web.

    Mironov, Rich. “Scaling Up Product Manager/Owner Teams: Rich Mironov's Product Bytes.” Rich Mironov's Product Bytes, Mironov Consulting, 12 April 2014 . Web.

    Overeem, Barry. “A Product Owner Self-Assessment.” Barry Overeem, 6 March 2017. Web.

    Overeem, Barry. “Retrospective: Using the Team Radar.” Barry Overeem, 27 Feb. 2017. Web.

    Pichler, Roman. “How to Scale the Scrum Product Owner.” Roman Pichler, 28 June 2016 . Web.

    Pichler, Roman. “Product Management Framework.” Pichler Consulting Limited, 2014. Web.

    Pichler, Roman. “Sprint Planning Tips for Product Owners.” LinkedIn, 4 Sept. 2018. Web.

    Pichler, Roman. “What Is Product Management?” Pichler Consulting Limited, 26 Nov. 2014. Web.

    Radigan, Dan. “Putting the ‘Flow' Back in Workflow With WIP Limits.” Atlassian, n.d. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on Agile Product Management.” Scrum.org, 28 Nov. 2017. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on (Business) Value.” Scrum.org, 30 Nov. 2017. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on Product Backlog Management.” Scrum.org, 5 Dec. 2017. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on the Product Vision.” Scrum.org, 29 Nov. 2017. Web.

    Schuurman, Robbin. “Tips for Starting Product Owners.” Scrum.org, 27 Nov. 2017. Web.

    Sharma, Rohit. “Scaling Product Teams the Structured Way.” Monetary Musings, 28 Nov. 2016. Web.

    Bibliography – Product Ownership

    Steiner, Anne. “Start to Scale Your Product Management: Multiple Teams Working on Single Product.” Cprime, 6 Aug. 2019. Web.

    Shirazi, Reza. “Betsy Stockdale of Seilevel: Product Managers Are Not Afraid To Be Wrong.” Austin VOP #50, 2 Oct. 2018. Web.

    “The Standish Group 2015 Chaos Report.” The Standish Group, 2015. Web.

    Theus, Andre. “When Should You Scale the Product Management Team?” ProductPlan, 7 May 2019. Web.

    Tolonen, Arto. “Scaling Product Management in a Single Product Company.” Smartly.io, 26 Apr. 2018. Web.

    Ulrich, Catherine. “The 6 Types of Product Managers. Which One Do You Need?” Medium.com, 19 Dec. 2017. Web.

    VersionOne. “12th Annual State of Agile Report.” VersionOne, 9 April 2018. Web.

    Verwijs, Christiaan. “Retrospective: Do The Team Radar.” Medium.com, 10 Feb. 2017. Web.

    “How do you define a product?” Scrum.org, 4 April 2017, Web.

    “Product Definition.” TechTarget, Sept. 2005. Web

    Bibliography – Product Roadmap

    Ambysoft. “2018 IT Project Success Rates Survey Results.” Ambysoft. 2018. Web.

    Bastow, Janna. “Creating Agile Product roadmaps Everyone Understands.” ProdPad, 22 Mar. 2017. Accessed Sept. 2018.

    Bastow, Janna. “The Product Tree Game: Our Favorite Way To Prioritize Features.” ProdPad, 21 Feb. 2016. Accessed Sept. 2018.

    Chernak, Yuri. “Requirements Reuse: The State of the Practice.” 2012, Herzlia, Israel, 2012 IEEE International Conference on Software Science, Technology and Engineering, 12 June 2012. Web.

    Fowler, Martin. “Application Boundary.” MartinFowler.com, 11 Sept. 2003. Accessed 20 Nov. 2017.

    Harrin, Elizabeth. “Learn What a Project Milestone Is.” The Balance Careers, 10 May 2018. Accessed Sept. 2018.

    “How to create a product roadmap.” Roadmunk, n.d. Accessed Sept. 2018.

    Johnson, Steve. “How to Master the 3 Horizons of Product Strategy.” Aha!, 24 Sept. 2015. Accessed Sept. 2018.

    Johnson, Steve. “The Product Roadmap vs. the Technology Roadmap.” Aha!, 23 June 2016. Accessed Sept. 2018

    Juncal, Shaun. “How Should You Set Your Product Roadmap Timeframes?” ProductPlan, n.d. Accessed Sept. 2018.

    Leffingwell, Dean. “SAFe 4.0.” Scaled Agile, Inc., 2017. Web.

    Maurya, Ash. “What is a Minimum Viable Product (MVP)?” LEANSTACK, 12 June 2017. Accessed Sept. 2018.

    Pichler, Roman. “10 Tips for Creating an Agile Product Roadmap.” Roman Pichler, 20 July 2016. Accessed Sept. 2018.

    Pichler, Roman. Strategize: Product Strategy and Product Roadmap Practices for the Digital Age. Pichler Consulting, 2016.

    “Product Roadmap Contents: What Should You Include?” ProductPlan, n.d. Accessed 20 Nov. 2017.

    Saez, Andrea. “Why Your Roadmap Is Not a Release Plan.” ProdPad, 23 Oct. 2015. Accessed Sept. 2018.

    Schuurman, Robbin. “Tips for Agile product roadmaps & product roadmap examples.” Scrum.org, 7 Dec. 2017. Accessed Sept. 2018

    Research Contributors and Experts

    Photo of Emily Archer, Lead Business Analyst, Enterprise Consulting, authentic digital agency.

    Emily Archer
    Lead Business Analyst,
    Enterprise Consulting, authentic digital agency

    Emily Archer is a consultant currently working with Fortune 500 clients to ensure the delivery of successful projects, products, and processes. She helps increase the business value returned for organizations’ investments in designing and implementing enterprise content hubs and content operations, custom web applications, digital marketing, and e-commerce platforms.

    Photo of David Berg, Founder & CTO, Strainprint Technologies Inc.

    David Berg
    Founder & CTO
    Strainprint Technologies Inc.

    David Berg is a product commercialization expert that has spent the last 20 years of his career delivering product management and business development services across a broad range of industries. Early in his career, David worked with product management and engineering teams to build core network infrastructure products that secure and power the internet we benefit from today. David’s experience also includes working with clean technologies in the area of clean power generation, agritech, and Internet of Things infrastructure. Over the last five years, David has been focused on his latest venture, Strainprint Technologies, a data and analytics company focused on the medical cannabis industry. Strainprint has built the largest longitudinal medical cannabis dataset in the world with the goal to develop an understanding of treatment behavior, interactions, and chemical drivers to guide future product development.

    Research Contributors and Experts

    Blank photo template.

    Kathy Borneman
    Digital Product Owner, SunTrust Bank

    Kathy Borneman is a senior product owner who helps people enjoy their jobs again by engaging others in end-to-end decision making to deliver software and operational solutions that enhance the client experience and allow people to think and act strategically.

    Photo of Charlie Campbell, Product Owner, Merchant e-Solutions.

    Charlie Campbell
    Product Owner, Merchant e-Solutions

    Charlie Campbell is an experienced problem solver with the ability to quickly dissect situations and recommend immediate actions to achieve resolution, liaise between technical and functional personnel to bridge the technology and communication gap, and work with diverse teams and resources to reach a common goal.

    Research Contributors and Experts

    Photo of Yarrow Diamond, Sr. Director, Business Architecture, Financial Services.

    Yarrow Diamond
    Sr. Director, Business Architecture
    Financial Services

    Yarrow Diamond is an experienced professional with expertise in enterprise strategy development, project portfolio management, and business process reengineering across financial services, healthcare and insurance, hospitality, and real estate environments. She has a master’s in Enterprise Architecture from Penn State University, LSSMBB, PMP, CSM, ITILv3.

    Photo of Cari J. Faanes-Blakey, CBAP, PMI-PBA, Enterprise Business Systems Analyst, Vertex, Inc.

    Cari J. Faanes-Blakey, CBAP, PMI-PBA
    Enterprise Business Systems Analyst,
    Vertex, Inc.

    Cari J. Faanes-Blakey has a history in software development and implementation as a Business Analyst and Project Manager for financial and taxation software vendors. Active in the International Institute of Business Analysis (IIBA), Cari participated on the writing team for the BA Body of Knowledge 3.0 and the certification exam.

    Research Contributors and Experts

    Photo of Kieran Gobey, Senior Consultant Professional Services, Blueprint Software Systems.

    Kieran Gobey
    Senior Consultant Professional Services
    Blueprint Software Systems

    Kieran Gobey is an IT professional with 24 years of experience, focused on business, technology, and systems analysis. He has split his career between external and internal customer-facing roles, and this has resulted in a true understanding of what is required to be a Professional Services Consultant. His problem-solving skills and ability to mentor others have resulted in successful software implementations.

    Kieran’s specialties include deep system troubleshooting and analysis skills, facilitating communications to bring together participants effectively, mentoring, leadership, and organizational skills.

    Photo of Rupert Kainzbauer, VP Product, Digital Wallets, Paysafe Group.

    Rupert Kainzbauer
    VP Product, Digital Wallets
    Paysafe Group

    Rupert Kainzbauer is an experienced senior leader with a passion for defining and delivering products that deliver real customer and commercial benefit. Together with a team of highly experienced and motivated product managers, he has successfully led highly complex, multi-stakeholder payments initiatives, from proposition development and solution design through to market delivery. Their domain experience is in building online payment products in high-risk and emerging markets, remittance, prepaid cards, and mobile applications.

    Research Contributors and Experts

    Photo of Saeed Khan, Founder, Transformation Labs.

    Saeed Khan
    Founder,
    Transformation Labs

    Saeed Khan has been working in high tech for 30 years in both Canada and the US and has held a number of leadership roles in Product Management over that time. He speaks regularly at conferences and has been writing publicly about technology product management since 2005.

    Through Transformation Labs, Saeed helps companies accelerate product success by working with product teams to improve their skills, practices, and processes. He is a cofounder of ProductCamp Toronto and currently runs a Meetup group and global Slack community called Product Leaders, the only global community of senior-level product executives.

    Photo of Hoi Kun Lo, Product Owner, Nielsen.

    Hoi Kun Lo
    Product Owner
    Nielsen

    Hoi Kun Lo is an experienced change agent who can be found actively participating within the IIBA and WITI groups in Tampa, FL, and a champion for Agile, architecture, diversity, and inclusion programs at Nielsen. She is currently a Product Owner in the Digital Strategy team within Nielsen Global Watch Technology.

    Research Contributors and Experts

    Photo of Abhishek Mathur, Sr Director, Product Management, Kasisto, Inc.

    Abhishek Mathur
    Sr Director, Product Management
    Kasisto, Inc.

    Abhishek Mathur is a product management leader, an artificial intelligence practitioner, and an educator. He has led product management and engineering teams at Clarifai, IBM, and Kasisto to build a variety of artificial intelligence applications within the space of computer vision, natural language processing, and recommendation systems. Abhishek enjoys having deep conversations about the future of technology and helping aspiring product managers enter and accelerate their careers.

    Photo of Jeff Meister, Technology Advisor and Product Leader.

    Jeff Meister
    Technology Advisor and Product Leader

    Jeff Meister is a technology advisor and product leader. He has more than 20 years of experience building and operating software products and the teams that build them. He has built products across a wide range of industries and has built and led large engineering, design, and product organizations.

    Jeff most recently served as Senior Director of Product Management at Avanade, where he built and led the product management practice. This involved hiring and leading product managers, defining product management processes, solution shaping and engagement execution, and evangelizing the discipline through pitches, presentations, and speaking engagements.

    Jeff holds a Bachelor of Applied Science (Electrical Engineering) and a Bachelor of Arts from the University of Waterloo, an MBA from INSEAD (Strategy), and certifications in product management, project management, and design thinking.

    Research Contributors and Experts

    Photo of Vincent Mirabelli, Principal, Global Project Synergy Group.

    Vincent Mirabelli
    Principal,
    Global Project Synergy Group

    With over 10 years of experience in both the private and public sectors, Vincent Mirabelli possesses an impressive track record of improving, informing, and transforming business strategy and operations through process improvement, design and re-engineering, and the application of quality to business analysis, project management, and process improvement standards.

    Photo of Oz Nazili, VP, Product & Growth, TWG.

    Oz Nazili
    VP, Product & Growth
    TWG

    Oz Nazili is a product leader with a decade of experience in both building products and product teams. Having spent time at funded startups and large enterprises, he thinks often about the most effective way to deliver value to users. His core areas of interest include Lean MVP development and data-driven product growth.

    Research Contributors and Experts

    Photo of Mark Pearson, Principal IT Architect, First Data Corporation.

    Mark Pearson
    Principal IT Architect
    First Data Corporation

    Mark Pearson is an executive business leader grounded in the process, data, technology, and operations of software-driven business. He knows the enterprise software landscape and is skilled in product, technology, and operations design and delivery within information technology organizations, outsourcing firms, and software product companies.

    Photo of Brenda Peshak, Product Owner, Widget Industries, LLC.

    Brenda Peshak
    Product Owner,
    Widget Industries, LLC

    Brenda Peshak is skilled in business process, analytical skills, Microsoft Office Suite, communication, and customer relationship management (CRM). She is a strong product management professional with a Master’s focused in Business Leadership (MBL) from William Penn University.

    Research Contributors and Experts

    Photo of Mike Starkey, Director of Engineering, W.W. Grainger.

    Mike Starkey
    Director of Engineering
    W.W. Grainger

    Mike Starkey is a Director of Engineering at W.W. Grainger, currently focusing on operating model development, digital architecture, and building enterprise software. Prior to joining W.W. Grainger, Mike held a variety of technology consulting roles throughout the system delivery lifecycle spanning multiple industries such as healthcare, retail, manufacturing, and utilities with Fortune 500 companies.

    Photo of Anant Tailor, Cofounder & Head of Product, Dream Payments Corp.

    Anant Tailor
    Cofounder & Head of Product
    Dream Payments Corp.

    Anant Tailor is a cofounder at Dream Payments where he currently serves as the COO and Head of Product, having responsibility for Product Strategy & Development, Client Delivery, Compliance, and Operations. He has 20+ years of experience building and operating organizations that deliver software products and solutions for consumers and businesses of varying sizes.

    Prior to founding Dream Payments, Anant was the COO and Director of Client Services at DonRiver Inc, a technology strategy and software consultancy that he helped to build and scale into a global company with 100+ employees operating in seven countries.

    Anant is a Professional Engineer with a Bachelor’s degree in Electrical Engineering from McMaster University and a certificate in Product Strategy & Management from the Kellogg School of Management at Northwestern University.

    Research Contributors and Experts

    Photo of Angela Weller, Scrum Master, Businessolver.

    Angela Weller
    Scrum Master, Businessolver

    Angela Weller is an experienced Agile business analyst who collaborates with key stakeholders to attain their goals and contributes to the achievement of the company’s strategic objectives to ensure a competitive advantage. She excels when mediating or facilitating teams.

    Combine Security Risk Management Components Into One Program

    • Buy Link or Shortcode: {j2store}376|cart{/j2store}
    • member rating overall impact (scale of 10): 9.1/10 Overall Impact
    • member rating average dollars saved: $37,798 Average $ Saved
    • member rating average days saved: 32 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Companies are aware of the need to discuss and assess risk, but many struggle to do so in a systematic and repeatable way.
    • Rarely are security risks analyzed in a consistent manner, let alone in a systematic and repeatable method to determine project risk as well as overall organizational risk exposure.

    Our Advice

    Critical Insight

    • The best security programs are built upon defensible risk management. With an appropriate risk management program in place, you can ensure that security decisions are made strategically instead of based on frameworks and gut feelings. This will optimize any security planning and budgeting.
    • All risks can be quantified. Security, compliance, legal, or other risks can be quantified using our methodology.

    Impact and Result

    • Develop a security risk management program to create a standardized methodology for assessing and managing the risk that information systems face.
    • Build a risk governance structure that makes it clear how security risks can be escalated within the organization and who makes the final decision on certain risks.
    • Use Info-Tech’s risk assessment methodology to quantifiably evaluate the threat severity for any new or existing project or initiative.
    • Tie together all aspects of your risk management program, including your information security risk tolerance level, threat and risk assessments, and mitigation effectiveness models.

    Combine Security Risk Management Components Into One Program Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop and implement a security risk management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish the risk environment

    Lay down the foundations for security risk management, including roles and responsibilities and a defined risk tolerance level.

    • Combine Security Risk Management Components Into One Program – Phase 1: Establish the Risk Environment
    • Security Risk Governance Responsibilities and RACI Template
    • Risk Tolerance Determination Tool
    • Risk Weighting Determination Tool

    2. Conduct threat and risk assessments

    Define frequency and impact rankings then assess the risk of your project.

    • Combine Security Risk Management Components Into One Program – Phase 2: Conduct Threat and Risk Assessments
    • Threat and Risk Assessment Process Template
    • Threat and Risk Assessment Tool

    3. Build the security risk register

    Catalog an inventory of individual risks to create an overall risk profile.

    • Combine Security Risk Management Components Into One Program – Phase 3: Build the Security Risk Register
    • Security Risk Register Tool

    4. Communicate the risk management program

    Communicate the risk-based conclusions and leverage these in security decision making.

    • Combine Security Risk Management Components Into One Program – Phase 4: Communicate the Risk Management Program
    • Security Risk Management Presentation Template
    • Security Risk Management Summary Template
    [infographic]

    Workshop: Combine Security Risk Management Components Into One Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish the Risk Environment

    The Purpose

    Build the foundation needed for a security risk management program.

    Define roles and responsibilities of the risk executive.

    Define an information security risk tolerance level.

    Key Benefits Achieved

    Clearly defined roles and responsibilities.

    Defined risk tolerance level.

    Activities

    1.1 Define the security executive function RACI chart.

    1.2 Assess business context for security risk management.

    1.3 Standardize risk terminology assumptions.

    1.4 Conduct preliminary evaluation of risk scenarios to determine your risk tolerance level.

    1.5 Decide on a custom risk factor weighting.

    1.6 Finalize the risk tolerance level.

    1.7 Begin threat and risk assessment.

    Outputs

    Defined risk executive functions

    Risk governance RACI chart

    Defined quantified risk tolerance and risk factor weightings

    2 Conduct Threat and Risk Assessments

    The Purpose

    Determine when and how to conduct threat and risk assessments (TRAs).

    Complete one or two TRAs, as time permits during the workshop.

    Key Benefits Achieved

    Developed process for how to conduct threat and risk assessments.

    Deep risk analysis for one or two IT projects/initiatives.

    Activities

    2.1 Determine when to initiate a risk assessment.

    2.2 Review appropriate data classification scheme.

    2.3 Identify system elements and perform data discovery.

    2.4 Map data types to the elements.

    2.5 Identify STRIDE threats and assess risk factors.

    2.6 Determine risk actions taking place and assign countermeasures.

    2.7 Calculate mitigated risk severity based on actions.

    2.8 If necessary, revisit risk tolerance.

    2.9 Document threat and risk assessment methodology.

    Outputs

    Define scope of system elements and data within assessment

    Mapping of data to different system elements

    Threat identification and associated risk severity

    Defined risk actions to take place in threat and risk assessment process

    3 Continue to Conduct Threat and Risk Assessments

    The Purpose

    Complete one or two TRAs, as time permits during the workshop.

    Key Benefits Achieved

    Deep risk analysis for one or two IT projects/initiatives, as time permits.

    Activities

    3.1 Continue threat and risk assessment activities.

    3.2 As time permits, one to two threat and risk assessment activities will be performed as part of the workshop.

    3.3 Review risk assessment results and compare to risk tolerance level.

    Outputs

    One to two threat and risk assessment activities performed

    Validation of the risk tolerance level

    4 Establish a Risk Register and Communicate Risk

    The Purpose

    Collect, analyze, and aggregate all individual risks into the security risk register.

    Plan for the future of risk management.

    Key Benefits Achieved

    Established risk register to provide overview of the organizational aggregate risk profile.

    Ability to communicate risk to other stakeholders as needed.

    Activities

    4.1 Begin building a risk register.

    4.2 Identify individual risks and threats that exist in the organization.

    4.3 Decide risk responses, depending on the risk level as it relates to the risk tolerance.

    4.4 If necessary, revisit risk tolerance.

    4.5 Identify which stakeholders sign off on each risk.

    4.6 Plan for the future of risk management.

    4.7 Determine how to present risk to senior management.

    Outputs

    Risk register, with an inventory of risks and a macro view of the organization’s risk

    Defined risk-based initiatives to complete

    Plan for securing and managing the risk register

    Applications Priorities 2023

    • Buy Link or Shortcode: {j2store}186|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Economic, social, and regulatory conditions have changed livelihoods, businesses, and marketplaces. Modern tools and technologies have acted as lifelines by minimizing operating and delivery costs, and in the process, establishing a strong foundation for growth and maturity.
    • These tools and technologies must meet the top business goals of CXOs: ensure service continuity, improve customer experience, and make data-driven decisions.
    • While today’s business applications are good and well received, there is still room for improvement. The average business application satisfaction score among IT leadership was 72% (n=1582, CIO Business Vision).

    Our Advice

    Critical Insight

    • Applications are critical components in any business strategic plan. They can directly influence an organization’s internal and external brand and reputation, such as their uniqueness, competitiveness and innovativeness in the industry
    • Business leaders are continuously looking for innovative ways to better position their application portfolio to satisfy their goals and objectives, i.e., application priorities. Given the scope and costs often involved, these priorities must be carefully crafted to clearly state achievable business outcomes that satisfies the different needs very different customers, stakeholders, and users.
    • Unfortunately, expectations on your applications team have increased while the gap between how stakeholders and applications teams perceive effectiveness remains wide. This points to a need to clarify the requirements to deliver valuable and quality applications and address the pressures challenging your teams.

    Impact and Result

    Learn and explore the technology and practice initiatives in this report to determine which initiatives should be prioritized in your application strategy and align to your business organizational objectives:

    • Optimize the effectiveness of the IT organization.
    • Boost the productivity of the enterprise.
    • Enable business growth through technology.

    Applications Priorities 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Applications Priorities Report 2023 – A report that introduces and describes five opportunities to prioritize in your 2023 application strategy.

    In this report, we explore five priorities for emerging and leading-edge technologies and practices that can improve on capabilities needed to meet the ambitions of your organization.

    • Applications Priorities 2023 Report

    Infographic

    Further reading

    Applications Priorities 2023

    Applications are the engine of the business: keep them relevant and modern

    What we are facing today is transforming the ways in which we work, live, and relate to one another. Applications teams and portfolios MUST change to meet this reality.

    Economic, social, and regulatory conditions have changed livelihoods, businesses, and marketplaces. Modern tools and technologies have acted as lifelines by minimizing operating and delivery costs, and in the process, establishing a strong foundation for growth and maturity.

    As organizations continue to strengthen business continuity, disaster recovery, and system resilience, activities to simply "keep the lights on" are not enough. Be pragmatic in the prioritization and planning of your applications initiatives, and use your technologies as a foundation for your growth.

    Your applications must meet the top business goals of your CXOs

    • Ensure service continuity
    • Improve customer experience
    • Make data-driven decisions
    • Maximize stakeholder value
    • Manage risk

    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022, n=568.

    Select and align your applications priorities to your business goals and objectives

    Applications are critical components in any business strategic plan. They can directly influence an organization's internal and external brand and reputation, such as their:

    • Uniqueness, competitiveness, and innovativeness in the industry.
    • Ability to be dynamic, flexible, and responsive to changing expectations, business conditions, and technologies.

    Therefore, business leaders are continuously looking for innovative ways to better position their application portfolios to satisfy their goals and objectives, i.e. applications priorities. Given the scope and costs often involved, these priorities must be carefully crafted to clearly state achievable business outcomes that satisfy
    the different needs of very different customers, stakeholders, and users.

    Today's business applications are good but leave room for improvement

    72%
    Average business application satisfaction score among IT leadership in 1582 organizations.

    Source: CIO Business Vision, August 2021 to July 2022, N=190.

    Five Applications Priorities for 2023

    In this report, we explore five priorities for emerging and leading-edge technologies and practices that can improve on capabilities needed to meet the Ambitions of your organization.

    this is an image of the Five Applications Priorities for which will be addressed in this blueprint.

    Strengthen your foundations to better support your applications priorities

    These key capabilities are imperative to the success of your applications strategy.

    KPI and Metrics

    Easily attainable and insightful measurements to gauge the progress of meeting strategic objectives and goals (KPIs), and the performance of individual teams, practices and processes (metrics).

    BUSINESS ALIGNMENT

    Gain an accurate understanding and interpretation of stakeholder, end-user, and customer expectations and priorities. These define the success of business products and services considering the priorities of individual business units and teams.

    EFFICIENT DELIVERY & SUPPORT PRACTICE

    Software delivery and support roles, processes, and tools are collaborative, well equipped and resourced, and optimized to meet changing stakeholder expectations.

    Data Management & Governance

    Ensuring data is continuously reliable and trustworthy. Data structure and integrations are defined, governed, and monitored.

    Product & Service Ownership

    Complete inventory and rationalization of the product and service portfolio, prioritized backlogs, roadmaps, and clear product and service ownership with good governance. This helps ensure this portfolio is optimized to meet its goals and objectives.

    Strengthen your foundations to better support your applications priorities (cont'd)

    These key capabilities are imperative to the success of your applications strategy.

    Organizational Change Management

    Manage the adoption of new and modified processes and technologies considering reputational, human, and operational concerns.

    IT Operational Management

    Continuous monitoring and upkeep of products and services to assure business continuity, and system reliability, robustness and disaster recovery.

    Architectural Framework

    A set of principles and standards that guides the consistent, sustainable and scalable growth of enterprise technologies. Changes to the architecture are made in collaboration with affected parties, such as security and infrastructure.

    Application Security

    The measures, controls, and tactics at the application layer that prevent vulnerabilities against external and internal threats and ensure compliance to industry and regulatory security frameworks and standards.

    There are many factors that can stand in your team's way

    Expectations on your applications team have increased, while the gap between how stakeholders and applications teams perceive effectiveness remains wide. This points to a need to clarify the requirements to deliver valuable and quality applications and address the pressures challenging your teams.

    1. Attracting and retaining talent
    2. Maximizing the return on technology
    3. Confidently shifting to digital
    4. Addressing competing priorities
    5. Fostering a collaborative culture
    6. Creating high-throughput teams

    CIOs agree that at least some improvement is needed across key IT activities

    A bar graph is depicted which shows the proportion of CIOs who believe that some, or significant improvement is necessary for the following categories: Measure IT Project Success; Align IT Budget; Align IT Project Approval Process; Measure Stakeholder Satisfaction With IT; Define and Align IT Strategy; Understand Business Goals

    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022, n=568.

    Pressure Point 1:
    Attracting and Retaining Talent

    Recent environmental pressures impacted traditional working arrangements and showed more workplace flexibility is often possible. At the same time, many employees' expectations about how, when, and where they choose to work have also evolved. Recruitment and retention are reflections of different sides of the same employee value proposition coin. Organizations that fail to reinvent their approach to attracting and retaining talent by focusing on candidate and employee experience risk turnover, vacancies, and lost opportunities that can negatively impact the bottom line.

    Address the underlying challenges

    • Lack of employee empowerment and few opportunities for learning and development.
    • Poor coworker and manager relationships.
    • Compensation and benefits are inadequate to maintain desired quality of life.
    • Unproductive work environment and conflicting balance of work and life.
    • Unsatisfactory employee experience, including lack of employee recognition
      and transparency of organizational change.

    While workplace flexibility comes with many benefits, longer work hours jeopardize wellbeing.
    62% of organizations reported increased working hours, while 80% reported an increase in flexibility.
    Source: McLean & Company, 2022; n=394.

    Be strategic in how you fill and train key IT skills and capabilities

    • Cybersecurity
    • Big Data/Analytics
    • Technical Architecture
    • DevOps
    • Development
    • Cloud

    Source: Harvey Nash Group, 2021; n=2120.

    Pressure Point 2:
    Maximizing the Return of Technology

    Recent environmental pressures impacted traditional working arrangements and showed more workplace flexibility is often possible. At the same time, many employees' expectations about how, when, and where they choose to work have also evolved. Recruitment and retention are reflections of different sides of the same employee value proposition coin. Organizations that fail to reinvent their approach to attracting and retaining talent by focusing on candidate and employee experience risk turnover, vacancies, and lost opportunities that can negatively impact the bottom line.

    Address the underlying challenges

    • Inability to analyze, propose, justify, and communicate modernization solutions in language the stakeholders understand and in a way that shows they clearly support business priorities and KPIs and mitigate risks.
    • Little interest in documenting and rationalizing products and services through business-IT collaboration.
    • Lack of internal knowledge of the system and loss of vendor support.
    • Undefined, siloed product and service ownership and governance, preventing solutions from working together to collectively deliver more value.
    • Little stakeholder appetite to invest in activities beyond "keeping the lights on."

    Only 64% of applications were identified as effective by end users.
    Effective applications are identified as at least highly important and have high feature and usability satisfaction.
    Source: Application Portfolio Assessment, August 2021 to July 2022; N=315.

    "Regardless of the many definitions of modernization floating around, the one characteristic that we should be striving for is to ensure our applications do an outstanding job of supporting the users and the business in the most effective and efficient manner possible."
    Source: looksoftware.

    Pressure Point 3:
    Confidently Shifting to Digital

    "Going digital" reshapes how the business operates and drives value by optimizing how digital and traditional technologies and tactics work together. This shift often presents significant business and technical risks to business processes, enterprise data, applications, and systems which stakeholders and teams are not aware of or prepared to accommodate.

    Address the underlying challenges

    • Differing perspectives on digital can lead to disjointed transformation initiatives, oversold benefits, and a lack of synergy among digital technologies and processes.
    • Organizations have difficulty adapting to new technologies or rethinking current business models, processes, and ways of working because of the potential human, ethical, and reputational impacts and restrictions from legacy systems.
    • Management lacks a framework to evaluate how their organization manages and governs business value delivery.
    • IT is not equipped or resourced to address these rapidly changing business, customer, and technology needs.
    • The wrong tools and technologies were chosen to support the shift to digital.

    The shift to digital processes is starting, but slowly.
    62% of respondents indicated that 1-20% of their processes were digitized during the past year.
    Source: Tech Trends and Priorities 2023; N=500

    Resistance to change and time/budget constraints are top barriers preventing companies from modernizing their applications.
    Source: Konveyor, 2022; n=600.

    Pressure Point 4:
    Addressing Competing Priorities

    Enterprise products and services are not used, operated, or branded in isolation. The various parties involved may have competing priorities, which often leads to disagreements on when certain business and technology changes should be made and how resources, budget, and other assets should be allocated. Without a broader product vision, portfolio vision, and roadmap, the various dependent or related products and services will not deliver the same level of value as if they were managed collectively.

    Address the underlying challenges

    • Undefined product and service ownership and governance, including escalation procedures when consensus cannot be reached.
    • Lack of a unified and grounded set of value and quality definitions, guiding principles, prioritization standards, and broad visibility across portfolios, business capabilities, and business functions.
    • Distrust between business units and IT teams, which leads to the scaling of unmanaged applications and fragmented changes and projects.
    • Decisions are based on opinions and experiences without supporting data.

    55% of CXOs stated some improvement is necessary in activities to understand business goals.
    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568.

    CXOs are moderately satisfied with IT's performance as a business partner (average score of 69% among all CXOs). This sentiment is similarly felt among CIOs (64%).
    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568.

    Pressure Point 5:
    Fostering a Collaborative Culture

    Culture impacts business results, including bottom-line revenue and productivity metrics. Leaders appreciate the impact culture can have on applications initiatives and wish to leverage this. How culture translates from an abstract concept to something that is measurable and actionable is not straightforward. Executives need to clarify how the desired culture will help achieve their applications strategy and need to focus on the items that will have the most impact.

    Address the underlying challenges

    • Broad changes do not consider the unique subcultures, personalities, and behaviors of the various teams and individuals in the organization.
    • Leaders mandate cultural changes without alleviating critical barriers and do not embody the principles of the target state.
    • Bureaucracy and politics restrict changes and encourage the status quo.
    • Industry standards, technologies, and frameworks do not support or cannot be tailored to fit the desired culture.
    • Some teams are deliberately excluded from the scoping, planning, and execution of key product and service delivery and management activities.

    Agile does not solve team culture challenges.
    43% of organizations cited organizational culture as a significant barrier to adopting and scaling Agile practices.
    Source: Digital.ai, 2021.

    "Providing a great employee experience" as the second priority (after recruiting) highlights the emphasis organizations are placing on helping employees adjust after having been forced to change the way work gets done.
    Source: McLean & Company, 2022; N=826.

    Use your applications priorities to help address your pressure points

    Success can be dependent on your ability to navigate around or alleviate your pressure points. Design and market your applications priorities to bring attention to your pressure points and position them as key risk factors to their success.

    Applications Priorities
    Digital Experience (DX) Intelligent Automation Proactive Application Management Multisource Systems Digital Organization as a Platform
    Attracting and Retaining Talent Enhance the employee experience Be transparent and support role changes Shift focus from maintenance to innovation Enable business-managed applications Promote and showcase achievements and successes
    Maximizing the Return on Technology Modernize or extend the use of existing investments Automate applications across multiple business functions Improve the reliability of mission-critical applications Enhance the functionality of existing applications Increase visibility of underused applications
    Confidently Shifting to Digital Prioritize DX in your shift to digital Select the capabilities that will benefit most from automation Prepare applications to support digital tools and technologies Use best-of-breed tools to meet specific digital needs Bring all applications up to a common digital standard
    Addressing Competing Priorities Ground your digital vision, goals, and objectives Recognize and evaluate the architectural impact Rationalize the health of the applications Agree on a common philosophy on system composition Map to a holistic platform vision, goals, and objectives
    Fostering a Collaborative Culture Involve all perspectives in defining and delivering DX Involve the end user in the delivery and testing of the automated process Include the technical perspective in the viability of future applications plans Discuss how applications can work together better in an ecosystem Ensure the platform is configured to meet the individual needs of the users
    Creating High-Throughput Teams Establish delivery principles centered on DX Remove manual, error-prone, and mundane tasks Simplify applications to ease delivery and maintenance Alleviate delivery bottlenecks and issues Abstract the enterprise system to expedite delivery

    Digital Experience (DX)

    PRIORITY 1

    • Deliver Valuable User, Customer, Employee, and Brand Experiences

    Delivering valuable digital experiences requires the adoption of good management, governance, and operational practices to accommodate stakeholder, employee, customer, and end-user expectations of digital experiences (e.g. product management, automation, and iterative delivery). Technologies are chosen based on what best enables, delivers, and supports these expectations.

    Introduction

    Digital transformation is not just about new tools and technologies. It is also about delivering a valuable digital experience

    What is digital experience (DX)?

    Digital experience (DX) refers to the interaction between a user and an organization through digital products and services. Digital products and services are tools, systems, devices, and resources that gather, store, and process data; are continuously modernized; and embody eight key attributes that are described on the following slide. DX is broken down into four distinct perspectives*:

    • Customer Experience – The immediate perceptions of transactions and interactions experienced through a customer's journey in the use of the organization's digital
      products and services.
    • End-User Experience – Users' emotions, beliefs, and physical and psychological responses
      that occur before, during, or after interacting with a digital product or service.
    • Brand Experience – The broader perceptions, emotions, thoughts, feelings and actions the public associate with the organization's brand and reputation or its products and services. Brand experience evolves over time as customers continuously engage with the brand.
    • Employee Experience – The satisfaction and experience of an employee through their journey with the organization, from recruitment and hiring to their departure. How an employee embodies and promotes the organization brand and culture can affect their performance, trust, respect, and drive to innovate and optimize.
    Digital Products and Services
    Customer Experience Brand Experience Employee Experience End-User Experience

    Digital products and services have a common set of attributes

    Digital transformation is not just about new tools and technologies. It is also about delivering a valuable digital experience

    • Digital products and services must keep pace with changing business and end-user needs as well as tightly supporting your maturing business model with continuous modernization. Focus your continuous modernization on the key characteristics that drive business value.
    • Fit for purpose: Functionalities are designed and implemented for the purpose of satisfying the end user's needs and solving their problems.
    • User-centric: End users see the product as rewarding, engaging, intuitive, and emotionally satisfying. They want to come back to it.
    • Adaptable: The product can be quickly tailored to meet changing end-user and technology needs with reusable and customizable components.
    • Accessible: The product is available on demand and on the end user's preferred interface.
      End users have a seamless experience across all devices.
    • Private and secured: The end user's activity and data are protected from unauthorized access.
    • Informative and insightful: The product delivers consumable, accurate, and trustworthy real-time data that is important to the end user.
    • Seamless application connection: The product facilitates direct interactions with one or more other products through an uninterrupted user experience.
    • Relationship and network building: The product enables and promotes the connection and interaction of people.

    The Business Value cycle of continuous modernization.

    Signals

    DX is critical for business growth and maturity, but the organization may not be ready

    A good DX has become a key differentiator that gives organizations an advantage over their competition and peers. Shifts in working environments; employee, customer, and stakeholder expectations; and the advancements in modern technologies have raised the importance of adopting and transitioning to digital processes and tools to stay relevant and responsive to changing business and technology conditions.

    Applications teams are critical to ensuring the successful delivery and operation of these digital processes and tools. However, they are often under-resourced and challenged to meet their DX goals.

    • 7% of both business and IT respondents think IT has the resources needed to keep up with digital transformation initiatives and meet deadlines (Cyara, 2021).
    • 43% of respondents said that the core barrier to digital transformation is a lack of skilled resources (Creatio, 2021).
    A circle graph is shown with 91% of the circle coloured in dark blue, with the number 91% in the centre.

    of organizations stated that at least 1% of processes were shifted from being manually completed to digitally completed in the last year. 29% of organizations stated at least 21% were shifted.

    Source: Tech Trends and Priorities 2023; N=500.

    A circle graph is shown with 98% of the circle coloured in dark blue, with the number 98% in the centre.

    of organizations recognized digital transformation is important for competitive advantage. 94% stated it is important to enhance customer experience, and 91% stated it will have a positive impact on revenue.

    Source: Cyara, 2021.

    Drivers

    Brand and reputation

    Customers are swayed by the innovations and advancements in digital technologies and expect your applications team to deliver and support them. Your leaders recognize the importance of these expectations and are integrating them into their business strategy and brand (how the organization presents itself to its customers, employees and the public). They hope that their actions will improve and shape the company's reputation (public perception of the company) as effective, customer-focused, and forward-thinking.

    Worker productivity

    As you evolve and adopt more complex tools and technology, your stakeholders will expect more from business units and IT teams. Unfortunately, teams employing manual processes and legacy systems will struggle to meet these expectations. Digital products and services promote the simplification of complex operations and applications and help the business and your teams better align operational practices with strategic goals and deliver valuable DX.

    Organization modernization

    Legacy processes, systems, and ways of working are no longer suitable for meeting the strategic digital objectives and DX needs stakeholders expect. They drive up operational costs without increased benefits, impede business growth and innovation, and consume scarce budgets that could be used for other priorities. Shifting to digital tools and technologies will bring these challenges to light and demonstrate how modernization is an integral part of DX success.

    Benefits & Risks

    Benefits

    • Flexibility & Satisfaction
    • Adoption
    • Reliability

    Employees and customers can choose how they want to access, modify, and consume digital products and services. They can be tailored to meet the specific functional needs, behaviors, and habits of the end user.

    The customer, end user, brand, and employee drive selection, design, and delivery of digital products and services. Even the most advanced technologies will fail if key roles do not see the value in their use.

    Digital products and services are delivered with technical quality built into them, ensuring they meet the industry, regulatory, and company standards throughout their lifespan and in various conditions.

    Risks

    • Legacy & Lore
    • Bureaucracy & Politics
    • Process Inefficiencies
    • No Quality Standards

    Some stakeholders may not be willing to change due to their familiarity and comfort of business practices.

    Competing and conflicting priorities of strategic products and services undermine digital transformation and broader modernization efforts.

    Business processes are often burdened by wasteful activities. Digital products and services are only as valuable as the processes they support.

    The performance and support of your digital products and services are hampered due to unmanageable technical debt because of a deliberate decision to bypass or omit quality good practices.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent

    Enhance the employee experience.

    Design the digital processes, tools, and technologies to meet the individual needs of the employee.

    Maximizing the Return on Technology

    Modernize or extend the use of existing investments.

    Drive higher adoption of applications and higher user value and productivity by implementing digital capabilities to the applications that will gain the most.

    Confidently Shifting to Digital

    Prioritize DX in your shift to digital. Include DX as part of your definition of success.

    Your products and services are not valuable if users, customers, and employees do not use them.

    Addressing Competing Priorities

    Ground your digital vision, goals, and objectives

    Establish clear ownership of DX and digital products and services with a cross-functional prioritization framework.

    Fostering a Collaborative Culture

    Involve all perspectives in defining and delivering DX.

    Maintain a committee of owners, stakeholders, and delivery teams to ensure consensus and discuss how to address cross-functional opportunities and risks.

    Creating High-Throughput Teams

    Establish delivery principles centered on DX.

    Enforce guiding principles to streamline and simplify DX delivery, such as plug-and-play architecture and quality standards.

    Recommendations

    Build a digital business strategy

    A digital business strategy clearly articulates the goals and ambitions of the business to adopt digital practices, tools, and technologies. This document:

    • Looks for ways to transform the business by identifying what technologies to embrace, what processes to automate, and what new business models to create.
    • Unifies digital possibilities with your customer experiences.
    • Establishes accountability with the executive leadership.
    • States the importance of cross-functional participation from senior management across the organization.

    Related Research:

    Learn, understand, and empathize with your users, employees, and customers

    • To create a better product, solution, or service, understanding those who use it, their needs, and their context is critical.
    • A great experience design practice can help you balance those goals so that they are in harmony with those of your users.
    • IT leaders must find ways to understand the needs of the business and develop empathy on a much deeper level. This empathy is the foundation for a thriving business partnership.

    Related Research:

    Recommendations

    Center product and service delivery decisions and activities on DX and quality

    User, customer, employee, and brand are integral perspectives on the software development lifecycle (SDLC) and the management and governance practices supporting digital products and services. It ensures quality standards and controls are consistently upheld while maintaining alignment with various needs and priorities. The goal is to come to a consensus on a universal definition and approach to embed quality and DX-thinking throughout the delivery process.

    Related Research:

    Instill collaborative delivery practices

    Today's rapidly scaling and increasingly complex digital products and services create mounting pressure on delivery teams to release new features and changes quickly and with sufficient quality. This pressure is further compounded by the competing priorities of individual stakeholders and the nuances among different personas of digital products and services.

    A collaborative delivery practice sets the activities, channels, and relationships needed to deliver a valuable and quality product or service with cross-functional awareness, accountability, and agreement.

    Related Research:

    Recommendations

    Continuously monitor and modernize your digital products and services

    Today's modern digital products and services are tomorrow's shelfware. They gradually lose their value, and the supporting technologies will become obsolete. Modernization is a continuous need.

    Data-driven insights help decision makers decide which products and services to retire, upgrade, retrain on, or maintain to meet the demands of the business.

    Enhancements focusing on critical business capabilities strengthen the case for investment and build trust with all stakeholders.

    Related Research:

    CASE STUDY
    Mastercard in Asia

    Focus on the customer journey

    Chief Marketing Officer M.V. Rajamannar (Raja) wanted to change Mastercard's iconic "Priceless" ad campaign (with the slogan "There are some things money can't buy. For everything else there's Mastercard."). The main reasons were that the campaign relied on one-way communication and targeted end customers, even though Mastercard doesn't issue cards directly to customers; partner banks do. To drive the change in campaign, Raja and his team created a digital engine that leveraged digital and social media. Digital engine is a seven-step process based on insights gleaned from data and real-time optimization.

    1. Emotional spark: Using data to understand customers' passion points, Mastercard builds videos and creatives to ignite an emotional spark and give customers a reason to engage. For example, weeks before New Year's Eve, Mastercard produced a video with Hugh Jackman to encourage customers to submit a story about someone who deeply mattered to them. The authors of the winning story would be flown to reunite with those both distant and dear.
    2. Engagement: Mastercard targets the right audience with a spark video through social media to encourage customers to share their stories.
    3. Offers: To help its partner banks and merchants in driving their business, the company identifies the best offers to match consumers' interests. In the above campaign, Mastercard's Asia-Pacific team found that Singapore was a favorite destination for Indian customers, so they partnered with Singapore's Resorts World Sentosa with an attractive offer.
    4. Real-time optimization: Mastercard optimizes, in real time, a portfolio of several offers through A/B testing and other analysis.
    5. Amplification: Real-time testing provides confidence to Mastercard about the potential success of these offers and encourages its bank and merchant partners to co-market and co-fund these campaigns.
    6. Network effects: A few weeks after consumers submitted their stories about distant loved ones, Mastercard selected winners, produced videos of them surprising their friends and families, and used these videos in social media to encourage sharing.
    7. Incremental transactions: These programs translate into incremental business for banks who issue cards, for merchants where customers spend money, and for Mastercard, which gets a portion of every transaction.

    Source: Harvard Business Review Press

    CASE STUDY
    Mastercard in Asia (cont'd)

    Focus on the customer journey

    1. Emotional Spark
      Drives genuine personal stories
    2. Engagement
      Through Facebook
      and social media
    3. Offers
      From merchants
      and Mastercard assets
    4. Optimization
      Real-time testing of offers and themes
    5. Amplification
      Paid and organic programmatic buying
    6. Network Effects
      Sharing and
      mass engagement
    7. Incremental Transactions
      Win-win for all parties

    CASE STUDY
    Mastercard in Asia (cont'd)

    The Mastercard case highlights important lessons on how to engage customers:

    • Have a broad message. Brands need to connect with consumers over how they live and spend their time. Organizations need to go beyond the brand or product message to become more relevant to consumers' lives. Dove soap was very successful in creating a conversation among consumers with its "Real Beauty" campaign, which focused not on the brand or even the product category, but on how women and society view beauty.
    • Shift from storytelling to story making. To break through the clutter of advertising, companies need to move from storytelling to story making. A broader message that is emotionally engaging allows for a two-way conversation.
    • Be consistent with the brand value. The brand needs to stand for something, and the content should be relevant to and consistent with the image of the brand. Pepsi announced an award of $20 million in grants to individuals, businesses, and nonprofits that promote a new idea to make a positive impact on community. A large number of submissions were about social causes that had nothing to do with Pepsi, and some, like reducing obesity, were in conflict with Pepsi's product.
    • Create engagement that drives business. Too much entertainment in ads may engage customers but detract from both communicating the brand message and increasing sales. Simply measuring the number of video views provides only a partial picture of a program's success.

    Intelligent Automation

    PRIORITY 2

    • Extend Automation Practices with AI and ML

    AI and ML are rapidly growing. Organizations see the value of machines intelligently executing high-performance and dynamic tasks such as driving cars and detecting fraud. Senior leaders see AI and ML as opportunities to extend their business process automation investments.

    Introduction

    Intelligent automation is the next step in your business process automation journey

    What is intelligent automation (IA)?

    Intelligent automation (IA) is the combination of traditional automation technologies, such as business process management (BPM) and robotic process automation (RPA), with AI and ML. The goal is to further streamline and scale decision making across various business processes by:

    • Removing human interactions.
    • Addressing decisions that involve complex variables.
    • Automatically adapting processes to changing conditions.
    • Bridging disparate automation technologies into an integrated end-to-end value delivery pipeline.

    "For IA to succeed, employees must be involved in the transformation journey so they can experience firsthand the benefits of a new way of working and creating business value," (Cognizant).

    What is the difference between IA and hyperautomation?

    "Hyperautomation is the act of automating everything in an organization that can be automated. The intent is to streamline processes across an organization using intelligent automation, which includes AI, RPA and other technologies, to run without human intervention. … Hyperautomation is a business-driven, disciplined approach that organizations use to rapidly identify, vet, and automate as many business and IT processes as possible" (IBM, 2021).

    Note that hyperautomation often enables IA, but teams solely adopting IA do not need to abide to its automation-first principles.

    IA is a combination of various tools and technologies

    What tools and technologies are involved in IA?

    • Artificial intelligence (AI) & Machine Learning (ML) – AI systems perform tasks mimicking human intelligence such as learning from experience and problem solving. AI is making its own decisions without human intervention. Machine learning systems learn from experience and without explicit instructions. They learn patterns from data then analyze and make predictions based on past behavior and the patterns learned. AI is a combination of technologies and can include machine learning.
    • Intelligent Business Process Management System (iBPMS) – Combination of BPM tools with AI and other intelligence capabilities.
    • Robotic Process Automation (RPA) – Robots leveraging an application's UI rather than programmatic access. Automate rules-based, repetitive tasks performed by human workers with AI/ML.
    • Process Mining & Discovery – Process mining involves reading system event logs and application transactions and applying algorithmic analysis to automatically identify and map inferred business processes. Process discovery involves unintrusive virtual agents that sit on a user's desktop and record and monitor how they interact with applications to perform tasks and processes. Algorithms are then used to map and analyze the processes.
    • Intelligent Document Processing – The conversion of physical or unstructured documents into a structured, digital format that can be used in automation solutions. Optical character recognition (OCR) and natural language processing (NPL) are common tools used to enable this capability.
    • Advanced Analytics – The gathering, synthesis, transformation, and delivery of insightful and consumable information that supports data-driven decision making. Data is queried from various disparate sources and can take on a variety of structured and unstructured formats.

    The cycle of IA technologies

    Signals

    Process automation is an executive priority and requires organizational buy-in

    Stakeholders recognize the importance of business process automation and AI and are looking for ways to deliver more value using these technologies.

    • 90% of executives stated automating business workflows post-COVID-19 will ensure business continuity (Kofax, 2022).
    • 88% of executives stated they need to fast-track their end-to-end digital transformation (Kofax, 2022).

    However, the advertised benefits to vendors of enabling these desired automations may not be easily achievable because of:

    • Manual and undocumented business processes.
    • Fragmented and inaccessible systems.
    • Poor data quality, insights, and security.
    • The lack of process governance and management practice.
    A circle graph is shown with 49% of the circle coloured in dark blue, with the number 49% in the centre.

    of CXOs stated staff sufficiency, skill and engagement issues as a minor IT pain point compared to 51% of CIOs stated this issue as a major pain point.

    Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568.

    A circle graph is shown with 36% of the circle coloured in dark blue, with the number 36% in the centre.

    of organizations have already invested in AI or machine learning.

    Source: Tech Trends and Priorities 2023; N=662

    Drivers

    Quality & throughput

    Products and services delivered through an undefined and manual process risk the creation of preventable and catchable defects, security flaws and holes, missing information, and other quality issues. IA solutions consistently reinforce quality standards the same way across all products and services while tailoring outputs to meet an individual's specific needs. Success is dependent on the accurate interpretation and application of quality standards and the user's expectations.

    Worker productivity

    IA removes the tedious, routine, and mundane tasks that distract and restrict employees from doing more valuable, impactful, and cognitively focused activities. Practical insights can also be generated through IA tools that help employees make data-driven decisions, evaluate problems from different angles, and improve the usability and value of the products and services they produce.

    Good process management practices

    Automation magnifies existing inefficiencies of a business process management practice, such as unclear and outdated process documentation and incorrect assumptions. IA reinforces the importance of good business process optimization practices, such as removing waste and inefficiencies in a thoughtful way, choosing the most appropriate automation solution, and configuring the process in the right way to maximize the solution's value.

    Benefits & Risks

    Benefits

    • Documentation
    • Hands-Off
    • Reusability

    All business processes must be mapped and documented to be automated, including business rules, data entities, applications, and control points.

    IA can be configured and orchestrated to automatically execute when certain business, process, or technology conditions are met in an unattended or attended manner.

    IA is applicable in use cases beyond traditional business processes, such as automated testing, quality control, audit, website scraping, integration platform, customer service, and data transfer.

    Risks

    • Data Quality & Bias
    • Ethics
    • Recovery & Security
    • Management

    The accuracy and relevance of the decisions IA makes are dependent on the overall quality of the data
    used to train it.

    Some decisions can have significant reputational, moral, and ethical impacts if made incorrectly.
    The question is whether it is appropriate for a non-human to make that decision.

    IA is composed of technologies that can be compromised or fail. Without the proper monitoring, controls,
    and recovery protocols, impacted IA will generate significant business and IT costs and can potentially harm customers, employees, and the organization.

    Low- and no-code capabilities ease and streamline IA development, which makes it susceptible to becoming unmanageable. Discipline is needed to ensure IA owners are aware of the size and health of the IA portfolio.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent

    Be transparent and support role changes.

    Plan to address the human sentiment with automation (e.g. job security) and the transition of the role to other activities.

    Maximizing the Return on Technology

    Automate applications across multiple business functions.

    Recognize the value opportunities of improving and automating the integration of cross-functional processes.

    Confidently Shifting to Digital

    Maximize the learning of automation fit.

    Select the right capabilities to demonstrate the value of IA while using lessons learned to establish the appropriate support.

    Addressing Competing Priorities

    Recognize automation opportunities with capability maps.

    Use a capability diagram to align strategic IA objectives with tactical and technical IA initiatives.

    Fostering a Collaborative Culture

    Involve the user in the delivery process.

    Maximize automation adoption by ensuring the user finds value in its use before deployment.

    Creating High-Throughput Teams

    Remove manual, error-prone, and mundane tasks.

    Look for ways to improve team throughput by removing wasteful activities, enforcing quality, and automating away tasks driving down productivity.

    Recommendations

    Build your business process automation playbook and practice

    Formalize your business process automation practice with a good toolkit and a repeatable set of tactics and techniques.

    • Clarify the problem being solved with IA.
    • Optimate your processes. Apply good practices to first optimize (opti-) and then automate (-mate) key business processes.
    • Deliver minimum viable automations (MVAs). Maximize the learning of automation solutions and business operational changes through small, strategic automation use cases.

    Related Research:

    Explore the various IA tooling options

    Each IA tool will address a different problem. Which tool to choose is dependent on a variety of factors, such as functional suitability, technology suitability, delivery and support capabilities, alignment to strategic business goals, and the value it is designed to deliver.

    Related Research:

    Recommendations

    Introduce AI and ML thoughtfully and with a plan

    Despite the many promises of AI, organizations are struggling to fully realize its potential. The reasons boil down to a lack of understanding of when these technologies should and shouldn't be used, as well as a fear of the unknown. The plan to adopt AI should include:

    • Understanding of what AI really means in practice.
    • Identifying specific applications of AI in the business.
    • Understanding the type of AI applicable for the situation.

    Related Research:

    Mitigate AI and ML bias

    Biases can be introduced into an IA system at any stage of the development process, from the data you collect, to the way you collect it, to which algorithms are used and what assumptions were made. In most cases, AI and ML bias is a is a social, political, and business problem.

    While bias may not be intentional nor completely prevented or eliminated, early detection, good design, and other proactive preventative steps can be taken to minimize its scope and impact.

    Related Research:

    CASE STUDY
    University Hospitals

    Challenge

    University Hospitals Cleveland (UH) faces the same challenge that every major hospital confronts regarding how to deliver increasingly complex, high-quality healthcare to a diverse population efficiently and economically. In 2017, UH embarked on a value improvement program aiming to improve quality while saving $400 million over a five-year period.

    In emergency department (ED) and inpatient units, leaders found anticipating demand difficult, and consequently units were often over-staffed when demand was low and under-staffed when demand was high. Hospital leaders were uncertain about how to reallocate resources based on capacity needs.

    Solution

    UH turned to Hospital IQ's Census Solution to proactively manage capacity, staff, and flow in the ED and inpatient areas.

    By applying AI, ML, and external data (e.g. weather forecasts) to the hospital's own data (including EMR data and hospital policies), the solution helped UH make two-day census forecasts that managers used to determine whether to open or close in-patient beds and, when necessary, divert low-acuity patients to other hospitals in the system to handle predicted patient volume.

    Source: University Hospitals

    Results

    ED boarding hours have declined by 10% and the hospital has seen a 50% reduction in the number of patients who leave the hospital without
    being seen.

    UH also predicts in advance patients ready for discharge and identifies roadblocks, reducing the average length of stay by 15%. UH is able to better manage staff, reducing overtime and cutting overall labor costs.

    The hospital has also increased staff satisfaction and improved patient safety by closing specific units on weekends and increasing the number of rooms that can be sterilized.

    Proactive Application Management

    PRIORITY 3

    • Strengthen Applications to Prevent and Minimize the Impact of Future Issues

    Application management is often viewed as a support function rather than an enabler of business growth. Focus and investments are only placed on application management when it becomes a problem. The lack of governance and practice accountability leaves this practice in a chaotic state: politics take over, resources are not strategically allocated, and customers are frustrated. As a result, application management is often reactive and brushed aside for new development.

    Introduction

    What is application management?

    Application management ensures valuable software is successfully delivered and is maintained for continuous and sustainable business operations. It contains a repeatable set of activities needed to rationalize and roadmap products and services while balancing priorities of new features and maintenance tasks.

    Unfortunately, application management is commonly perceived as a practice that solely addresses issues, updates, and incidents. However, application management teams are also tasked with new value delivery that was not part of the original release.

    Why is an effective application maintenance (reactive) practice not good enough?

    Application maintenance is the "process of modifying a software system or its components after delivery to correct faults, improve performance or other attributes, or adapt to a changed environment or business process," (IEEE, 1998). While it is critical to quickly fix defects and issues when they occur, reactively addressing them is more expensive than discovering them early and employing the practices to prevent them.

    Even if an application is working well, its framework, architecture, and technology may not be compatible with the possible upcoming changes stakeholders and vendors may want to undertake. Applications may not be problems now, but they soon can be.

    What motivates proactive application changes?

    This image shows the motivations for proactive application changes, sorted by external and internal sources.

    Proactive application management must be disciplined and applied strategically

    Proactive application management practices are critical to maintaining business continuity. They require continuous review and modification so that applications are resilient and can address current and future scenarios. Depending on the value of the application, its criticality to business operations, and its susceptibility to technology change, a more proactive management approach may be warranted. Stakeholders can then better manage resources and budget according to the needs of specific products.

    Reactive Management

    Run-to-Failure

    Fix and enhance the product when it breaks. In most cases, a plan is in place ahead of a failure, so that the problem can be addressed without significant disruption and costs.

    Preventive

    Regularly inspect and optimize the product to reduce the likelihood that it will fail in the future. Schedule inspections based on a specific timeframe or usage threshold.

    Predictive

    Predict failures before they happen using performance and usage data to alert teams when products are at risk of failure according to specified conditions.

    Reliability and Risk Based

    Analyze all possible failure scenarios for each component of the product and create tailored delivery plans to improve the stability, reliability, and value of each product.

    Proactive Management

    Signals

    Applications begin to degrade as soon as they are used

    Today's applications are tomorrow's shelfware. They gradually lose their value, stability, robustness, and compatibility with other enterprise technologies. The longer these applications are left unattended or simply "keeping the lights on," the more risks they will bring to the application portfolio, such as:

    • Discovery and exploitation of security flaws and gaps.
    • Increasing the lock-in to specific vendor technologies.
    • Inconsistent application performance across various workloads.

    These impacts are further compounded by the continuous work done on a system burdened with technical debt. Technical debt describes the result of avoided costs that, over time, cause ongoing business impacts. Left unaddressed, technical debt can become an existential threat that risks your organization's ability to effectively compete and serve its customers. Unfortunately, most organizations have a significant, growing, unmanageable technical debt portfolio.

    A circle graph is shown with 60% of the circle coloured in dark green, with the number 60% in the centre.

    of respondents stated they saw an increase in perceived change in technical debt during the past three years. A quarter of respondents indicated that it stayed the same.

    Source: McKinsey Digital, 2020.

    US
    $4.35
    Million

    is the average cost of a data breach in 2022. This figure represents a 2.6% increase from last year. The average cost has climbed 12.7% since 2020.

    Source: IBM, 2022; N=537.

    Drivers

    Technical debt

    Historical decisions to meet business demands by deferring key quality, architectural, or other software delivery activities often lead to inefficient and incomplete code, fragile legacy systems, broken processes, data quality problems, and the other contributors to technical debt. The impacts for this challenge is further heightened if organizations are not actively refactoring and updating their applications behind the scenes. Proactive application management is intended to raise awareness of application fragility and prioritize comprehensive refactoring activities alongside new feature development.

    Long-term application value

    Applications are designed, developed, and tested against a specific set of parameters which may become less relevant over time as the business matures, technology changes, and user behaviors and interactions shift. Continuous monitoring of the application system, regular stakeholder and user feedback, and active technology trend research and vendor engagement will reveal tasks to prepare an application for future value opportunities or stability and resilience concerns.

    Security and resiliency

    Innovative approaches to infiltrating and compromising applications are becoming prevailing stakeholder concerns. The loopholes and gaps in existing application security protocols, control points, and end-user training are exploited to gain the trust of unsuspecting users and systems. Proactive application management enforces continuous security reviews to determine whether applications are at risk. The goal is to prevent an incident from happening by hardening or complementing measures already in place.

    Benefits & Risks

    Benefits

    • Consistent Performance
    • Robustness
    • Operating Costs

    Users expect the same level of performance and experience from their applications in all scenarios. A proactive approach ensures the configurations meet the current needs of users and dependent technologies.

    Proactively managed applications are resilient to the latest security concerns and upcoming trends.

    Continuous improvements to the underlying architecture, codebase, and interfaces can minimize the cost to maintain and operate the application, such as the transition to a loosely coupled architecture and the standardization of REST APIs.

    Risks

    • Stakeholder Buy-In
    • Delayed Feature Releases
    • Team Capacity
    • Discipline

    Stakeholders may not see the association between the application's value and its technical quality.

    Updates and enhancements are system changes much like any application function. Depending
    on the priority of these changes, new functions may be pushed off to a future release cycle.

    Applications teams require dedicated capacity to proactively manage applications, but they are often occupied meeting other stakeholder demands.

    Overinvesting in certain application management activities (such as refactoring, re-architecture, and redesign) can create more challenges. Knowing how much to do is important.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent

    Shift focus from maintenance to innovation.

    Work on the most pressing and critical requests first, with a prioritization framework reflecting cross-functional priorities.

    Maximizing the Return on Technology

    Improve the reliability of mission-critical applications.

    Regularly verify and validate applications are up to date with the latest patches and fixes and comply with industry good practices and regulations.

    Confidently Shifting to Digital

    Prepare applications to support digital tools and technologies.

    Focus enhancements on the key components required to support the integration, performance, and security needs of digital.

    Addressing Competing Priorities

    Rationalize the health of the applications.

    Use data-driven, compelling insights to justify the direction and prioritization of applications initiatives.

    Fostering a Collaborative Culture

    Include the technical perspective in the viability of future applications plans.

    Demonstrate how poorly maintained applications impede the team's ability to deliver confidently and quickly.

    Creating High-Throughput Teams

    Simplify applications to ease delivery and maintenance.

    Refactor away application complexities and align the application portfolio to a common quality standard to reduce the effort to deliver and test changes.

    Recommendations

    Reinforce your application maintenance practice

    Maintenance is often viewed as a support function rather than an enabler of business growth. Focus and investments are only placed on maintenance when it becomes a problem.

    • Justify the necessity of streamlined maintenance.
    • Strengthen triaging and prioritization practices.
    • Establish and govern a repeatable process.

    Ensure product issues, incidents, defects, and change requests are promptly handled to minimize business and IT risks.

    Related Research:

    Build an application management practice

    Apply the appropriate management approaches to maintain business continuity and balance priorities and commitments among maintenance and new development requests.

    This practice serves as the foundation for creating exceptional customer experience by emphasizing cross-functional accountability for business value and product and service quality.

    Related Research:

    Recommendations

    Manage your technical debt

    Technical debt is a type of technical risk, which in turn is business risk. It's up to the business to decide whether to accept technical debt or mitigate it. Create a compelling argument to stakeholders as to why technical debt should be a business priority rather than just an IT one.

    • Define and identify your technical debt.
    • Conduct a business impact analysis.
    • Identify opportunities to better manage technical debt.

    Related Research:

    Gauge your application's health

    Application portfolio management is nearly impossible to perform without an honest and thorough understanding of your portfolio's alignment to business capabilities, business value, total cost of ownership, end-user reception and satisfaction, and technical health.

    Develop data-driven insights to help you decide which applications to retire, upgrade, retrain on, or maintain to meet the demands of the business.

    Related Research:

    Recommendations

    Adopt site reliability engineering (SRE) and DevOps practices

    Site reliability engineering (SRE) is an operational model for running online services more reliably by a team of dedicated reliability-focused engineers.

    DevOps, an operational philosophy promoting development and operations collaboration, can bring the critical insights to make application management practices through SRE more valuable.

    Related Research:

    CASE STUDY
    Government Agency

    Goal

    A government agency needed to implement a disciplined, sustainable application delivery, planning, and management process so their product delivery team could deliver features and changes faster with higher quality. The goal was to ensure change requests, fixes, and new features would relieve requester frustrations, reduce regression issues, and allow work to be done on agreeable and achievable priorities organization-wide. The new model needed to increase practice efficiency and visibility in order to better manage technical debt and focus on value-added solutions.

    Solution

    This organization recognized a number of key challenges that were inhibiting its team's ability to meet its goals:

    • The product backlog had become too long and unmanageable.
    • Delivery resources were not properly allocated to meet the skills and capabilities needed to successfully meet commitments.
    • Quality wasn't defined or enforced, which generated mounting technical debt.
    • There was a lack of clear metrics and defined roles and responsibilities.
    • The business had unrealistic and unachievable expectations.

    Source: Info-Tech Workshop

    Key practices implemented

    • Schedule quarterly business satisfaction surveys.
    • Structure and facilitate regular change advisory board meetings.
    • Define and enforce product quality standards.
    • Standardize a streamlined process with defined roles.
    • Configure management tools to better handle requests.

    Multisource Systems

    PRIORITY 4

    • Manage an Ecosystem Composed of In-House and Outsourced Systems

    Various market and company factors are motivating a review on resource and system sourcing strategies. The right sourcing model provides key skills, resources, and capabilities to meet innovation, time to market, financial, and quality goals of the business. However, organizations struggle with how best to support sourcing partners and to allocate the right number of resources to maximize success.

    Introduction

    A multisource system is an ecosystem of integrated internally and externally developed applications, data, and infrastructure. These technologies can be custom developed, heavily configured vendor solutions, or they may be commercial off-the-shelf (COTS) solutions. These systems can also be developed, supported, and managed by internal staff, in partnership with outsourced contractors, or be completely outsourced. Multisource systems should be configured and orchestrated in a way that maximizes the delivery of specific value drivers for the targeted audience.

    Successfully selecting a sourcing approach is not a simple RFP exercise to choose the lowest cost

    Defining and executing a sourcing approach can be a significant investment and risk because of the close interactions third-party services and partners will have with internal staff, enterprise applications and business capabilities. A careful selection and design is necessary.

    The selection of a sourcing partner is not simple. It involves the detailed inspection and examination of different candidates and matching their fit to the broader vision of the multisource system. In cases where control is critical, technology stack and resource sourcing consolidation to a few vendors and partners is preferred. In other cases, where worker productivity and system flexibility are highly prioritized, a plug-and-play best-of-breed approach is preferred.

    Typical factors involved in sourcing decisions.

    Sourcing needs to be driven by your department and system strategies

    How does the department want to be perceived?

    The image that your applications department and teams want to reflect is frequently dependent on the applications they deliver and support, the resources they are composed of, and the capabilities they provide.

    Therefore, choosing the right sourcing approach should be driven by understanding who the teams are and want to be (e.g. internal builder, an integrator, a plug-in player), what they can or want to do (e.g. custom-develop or implement), and what they can deliver or support (e.g. cloud or on-premises) must be established.

    What value is the system delivering?

    Well-integrated systems are the lifeblood of your organization. They provide the capabilities needed to deliver value to customers, employees, and stakeholders. However, underlying system components may not be sourced under a unified strategy, which can lead to duplicate vendor services and high operational costs.

    The right sourcing approach ensures your partners address key capabilities in your system's delivery and support, and that they are positioned to maximize the value of critical and high-impact components.

    Signals

    Business demand may outpace what vendors can support or offer

    Outsourcing and shifting to a buy-over-build applications strategy are common quick fixes to dealing with capacity and skills gaps. However, these quick fixes often become long-term implementations that are not accounted for in the sourcing selection process. Current application and resource sourcing strategies must be reviewed to ensure that vendor arrangements meet the current and upcoming demands and challenges of the business, customers, and enterprise technologies, such as:

    • Pressure from stakeholders to lower operating costs while maintaining or increasing quality and throughput.
    • Technology lock-in that addresses short-term needs but inhibits long-term growth and maturity.
    • Team capacity and talent acquisition not meeting the needs of the business.
    A circle graph is shown with 42% of the circle coloured in dark brown, with the number 42% in the centre.

    of respondents stated they outsourced software development fully or partly in the last 12 months (2021).

    Source: Coding Sans, 2021.

    A circle graph is shown with 65% of the circle coloured in dark brown, with the number 65% in the centre.

    of respondents stated they were at least somewhat satisfied with the result of outsourcing software development.

    Source: Coding Sans, 2021.

    Drivers

    Business-managed applications

    Employees are implementing and building applications without consulting, notifying, or heeding the advice of IT. IT is often ill-equipped and under-resourced to fight against shadow IT. Instead, organizations are shifting the mindset of "fight shadow IT" to "embrace business-managed applications," using good practices in managing multisource systems. A multisource approach strikes the right balance between user empowerment and centralized control with the solutions and architecture that can best enable it.

    Unique problems to solve

    Point solutions offer features to address unique use cases in uncommon technology environments. However, point solutions are often deployed in siloes with limited integration or overlap with other solutions. The right sourcing strategy accommodates the fragmented nature of point solutions into a broader enterprise system strategy, whether that be:

    • Multisource best of breed – integrate various technologies that provide subsets of the features needed for supporting business functions.
    • Multisource custom – integrate systems built in-house with technologies developed by external organizations.
    • Vendor add-ons and integrations – enhance an existing vendor's offering by using their system add-ons as upgrades, new add-ons, or integrations.

    Vendor services

    Some vendor services in a multisource environment may be redundant, conflicting, or incompatible. Given that multisource systems are regularly changing, it is difficult to identify what services are affected, what would be needed to fill the gap of the removed solution, or which redundant services should be removed.

    A multisource approach motivates the continuous rationalization of your vendor services and partners to determine the right mixture of in-house and outsourced resources, capabilities, and technologies.

    Benefits & Risks

    Benefits

    • Business-Focused Solution
    • Flexibility
    • Cost Optimization

    Multisource systems can be designed to support an employee's ability to select the tools they want and need.

    The environment is architected in a loosely coupled approach to allow applications to be easily added, removed, and modified with minimized impact to other integrated applications.

    Rather than investing in large solutions upfront, applications are adopted when they are needed and are removed when little value is gained. Disciplined application portfolio management is necessary to see the full value of this benefit.

    Risks

    • Manageable Sprawl
    • Policy Adherence
    • Integration & Compatibility

    The increased number and diversity of applications in multisource system environments can overwhelm system managers who do not have an effective application portfolio management practice.

    Fragmented application implementations risk inconsistent adherence to security and other quality policies, especially in situations where IT is not involved.

    Application integration can quickly become tangled, untraceable, and unmanageable because of varying team and vendor preferences for specific integration technologies and techniques.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent

    Enable business-managed applications.

    Create the integrations to enable the easy connection of desired tools to enterprise systems with the appropriate guardrails.

    Maximizing the Return on Technology

    Enhance the functionality of existing applications.

    Complement current application capability gaps with data, features, and services from third-party applications.

    Confidently Shifting to Digital

    Use best-of-breed tools to meet specific digital needs.

    Select the best tools to meet the unique and special functional needs of the digital vision.

    Addressing Competing Priorities

    Agree on a common philosophy on system composition.

    Establish an owner of the multisource system to guide how the system should mature as the organization grows.

    Fostering a Collaborative Culture

    Discuss how applications can work together better in an ecosystem.

    Build committees to discuss how applications can better support each other and drive more value.

    Creating High-Throughput Teams

    Alleviate delivery bottlenecks and issues.

    Leverage third-party sources to fill skills and capacity gaps until a long-term solution can be implemented.

    Recommendations

    Define the goals of your applications department and product vision

    Understanding the applications team's purpose and image is critical in determining how the system they are managing and the skills and capacities they need should be sourced.

    Changing and conflicting definitions of value and goals make it challenging to convey an agreeable strategy of the multisource system. An achievable vision and practical tactics ensure all parties in the multisource system are moving in the same direction.

    Related Research:

    Develop a sourcing partner strategy

    Almost half of all sourcing initiatives do not realize projected savings, and the biggest reason is the choice of partner (Zhang et al., 2018). Making the wrong choice means inferior products, higher costs and the loss of both clients and reputation.

    Choosing the right sourcing partner involves understanding current skills and capacities, finding the right matching partner based on a desired profile, and managing a good working relationship that sees short-term gains and supports long-term goals.

    Related Research:

    Recommendations

    Strengthen enterprise integration practices

    Integration strategies that are focused solely on technology are likely to complicate rather than simplify because little consideration is given on how other systems and processes will be impacted. Enterprise integration needs to bring together business process, applications, and data – in that order.

    Kick-start the process of identifying opportunities for improvement by mapping how applications and data are coordinated to support business activities.

    Related Research:

    Manage your solution architecture and application portfolio

    Haphazardly implementing and integrating applications can generate significant security, performance, and data risks. A well-thought-through solution architecture is essential in laying the architecture quality principles and roadmap on how the multisource system can grow and evolve in a sustainable and maintainable way.

    Good application portfolio management complements the solution architecture as it indicates when low-value and unused applications should be removed to reduce system complexity.

    Related Research:

    Recommendations

    Embrace business-managed applications

    Multisource systems bring a unique opportunity to support the business and end users' desire to implement and develop their own applications. However, traditional models of managing applications may not accommodate the specific IT governance and management practices required to operate business-managed applications:

    • A collaborative and trusting business-IT relationship is key.
    • The role of IT must be reimagined.
    • Business must be accountable for its decisions.

    Related Research:

    CASE STUDY
    Cognizant

    Situation

    • Strives to be primarily an industry-aligned organization that delivers multiple service lines in multiple geographies.
    • Cognizant seeks to carefully consider client culture to create a one-team environment.
    • Value proposition is a consultative approach bringing thought leadership and mutually adding value to the relationship vs. the more traditional order-taker development partner.
    • Wants to share in solution development to facilitate shared successes. Geographic alignment drives knowledge of the client and their challenges, not just about time zone and supportability.
    • Offers one of the largest offshore capabilities in the world, supported by local and nearshore resources to drive local knowledge.
    • Today's clients don't typically want a black box, they are sophisticated and want transparency around the process and solution, to have a partner.
    • Clients do want to know where the work is being delivered from, how it's being done.

    Source: interview with Jay MacIsaac, Cognizant.

    Approach

    • Best relationship comes where teams operate as one.
    • Clients are seeking value, not a development black box.
    • Clients want to have a partner they can engage with, not just an order taker.
    • Want to build a one-team culture with shared goals and deliver business value.
    • Seek a partner that will add to their thinking not echo it.

    Results

    • Cognizant is continuing to deliver double-digit growth and continues to strive for top quartile performance.
    • Growth in the client base has seen the company grow to over 340,000 associates worldwide.

    Digital Organization as a Platform

    PRIORITY 5

    • Create a Common Digital Interface to Access All Products and Services

    A digital platform enables organizations to leverage a flexible, reliable, and scalable foundation to create a valuable DX, ease delivery and management efforts, maximize existing investments, and motivate the broader shift to digital. This approach provides a standard to architect, integrate, configure, and modernize the applications that compose the platform.

    Introduction

    What is digital organization as a platform (DOaaP)?

    Digital organization as a platform (DOaaP) is a collection of integrated digital services, products, applications, and infrastructure that is used as a vehicle to meet and exceed an organization's digital strategies. It often serves as an accessible "place for exchanges of information, goods, or services to occur between producers and consumers as well as the community that interacts
    with said platform" (Watts, 2020).

    DOaaP involves a strategy that paves the way for organizations to be digital. It helps organizations use their assets (e.g. data, processes, products, services) in the most effective ways and become more open to cooperative delivery, usage, and management. This opens opportunities for innovation and cross-department collaborations.

    How is DOaaP described?

    1. Open and Collaborative
      • Open organization: open data, open APIs, transparency, and user participation.
      • Collaboration, co-creation, crowdsourcing, and innovation
    2. Accessible and Connected
      • Digital inclusion
      • Channel ubiquity
      • Integrity and interoperability
      • Digital marketplace
    3. Digital and Programmable
      • Digital identity
      • Policies and processes as code
      • Digital products and services
      • Enabling digital platforms

    Digital organizations follow a common set of principles and practices

    Customer-centricity

    Digital organizations are driven by customer focus, meeting and exceeding customer expectations. It must design its services with a "digital first" principle, providing access through every expected channel and including seamless integration and interoperability with various departments, partners, and third-party services. It also means creating trust in its ability to provide secure services and to keep privacy and ethics as core pillars.

    Leadership, management, and strategies

    Digital leadership brings customer focus to the enterprise and its structures and organizes efficient networks and ecosystems. Accomplishing this means getting rid of silos and a siloed mentality and aligning on a digital vision to design policies and services that are efficient, cost-effective, and provide maximum benefit to the user. Asset sharing, co-creation, and being open and transparent become cornerstones of a digital organization.

    Infrastructure

    Providing digital services across demographics and geographies requires infrastructure, and that in turn requires long-term vision, smart investments, and partnerships with various source partners to create the necessary foundational infrastructure upon which to build digital services.

    Digitization and automation

    Automation and digitization of processes and services, as well as creating digital-first products, lead to increased efficiency and reach of the organization across demographics and geographies. Moreover, by taking a digital-first approach, digital organizations future-proof their services and demonstrate their commitment to stakeholders.

    Enabling platforms

    DOaaP embraces open standards, designing and developing organizational platforms and ecosystems with a cloud-first mindset and sound API strategies. Developer experience must also take center stage, providing the necessary tools and embracing Agile and DevOps practices and culture become prerequisites. Cybersecurity and privacy are central to the digital platform; hence they must be part of the design and development principles and practices.

    Signals

    The business expects support for digital products and services

    Digital transformation continues to be a high-priority initiative for many organizations, and they see DOaaP as an effective way to enable and exploit digital capabilities. However, DOaaP unleashes new strategies, opportunities, and challenges that are elusive or unfamiliar to business leaders. Barriers in current business operating models may limit DOaaP success, such as:

    • Department and functional silos
    • Dispersed, fragmented and poor-quality data
    • Ill-equipped and under-skilled resources to support DOaaP adoption
    • System fragmentation and redundancies
    • Inconsistent integration tactics employed across systems
    • Disjointed user experience leading to low engagement and adoption

    DOaaP is not just about technology, and it is not the sole responsibility of either IT or business. It is the collective responsibility of the organization.

    A circle graph is shown with 47% of the circle coloured in dark blue, with the number 47% in the centre.

    of organizations plan to unlock new value through digital. 50% of organizations are planning major transformation over the next three years.

    Source: Nash Squared, 2022.

    A circle graph is shown with 70% of the circle coloured in dark blue, with the number 70% in the centre.

    of organizations are undertaking digital expansion projects focused on scaling their business with technology. This result is up from 57% in 2021.

    Source: F5 Inc, 2022.

    Drivers

    Unified brand and experience

    Users should have the same experience and perception of a brand no matter what product or service they use. However, fragmented implementation of digital technologies and inconsistent application of design standards makes it difficult to meet this expectation. DOaaP embraces a single design and DX standard for all digital products and services, which creates a consistent perception of your organization's brand and reputation irrespective of what products and services are being used and how they are accessed.

    Accessibility

    Rapid advancement of end-user devices and changes to end-user behaviors and expectations often outpace an organization's ability to meet these requirements. This can make certain organization products and services difficult to find, access and leverage. DOaaP creates an intuitive and searchable interface to all products and services and enables the strategic combination of technologies to collectively deliver more value.

    Justification for modernization

    Many opportunities are left off the table when legacy systems are abstracted away rather than modernized. However, legacy systems may not justify the investment in modernization because their individual value is outweighed by the cost. A DOaaP initiative motivates decision makers to look at the entire system (i.e. modern and legacy) to determine which components need to be brought up to a minimum digital state. The conversation has now changed. Legacy systems should be modernized to increase the collective benefit of the entire DOaaP.

    Benefits & Risks

    Benefits

    • Look & Feel
    • User Adoption
    • Shift to Digital

    A single, modern, customizable interface enables a common look and feel no matter what and how the platform is being accessed.

    Organizations can motivate and encourage the adoption and use of all products and services through the platform and increase the adoption of underused technologies.

    DOaaP motivates and supports the modernization of data, processes, and systems to meet the goals and objectives outlined in the broader digital transformation strategy.

    Risks

    • Data Quality
    • System Stability
    • Ability to Modernize
    • Business Model Change

    Each system may have a different definition of commonly used entities (e.g. customer), which can cause data quality issues when information is shared among these systems.

    DOaaP can stress the performance of underlying systems due to the limitations of some systems to handle increased traffic.

    Some systems cannot be modernized due to cost constraints, business continuity risks, vendor lock-in, legacy and lore, or other blocking factors.

    Limited appetite to make the necessary changes to business operations in order to maximize the value of DOaaP technologies.

    Address your pressure points to fully realize the benefits of this priority

    Success can be dependent on your ability to address your pressure points.

    Attracting and Retaining Talent Promote and showcase achievements and successes. Share the valuable and innovative work of your teams across the organization and with the public.
    Maximizing the Return on Technology Increase visibility of underused applications. Promote the adoption and use of all products and services through the platform and use the lessons learned to justify removal, updates or modernizations.
    Confidently Shifting to Digital Bring all applications up to a common digital standard. Define the baseline digital state all applications, data, and processes must be in to maximize the value of the platform.
    Addressing Competing Priorities Map to a holistic platform vision, goals and objectives. Work with relevant stakeholders, teams and end users to agree on a common directive considering all impacted perspectives.
    Fostering a Collaborative Culture Ensure the platform is configured to meet the individual needs of the users. Tailor the interface and capabilities of the platform to address users' functional and personal concerns.
    Creating High-Throughput Teams Abstract the enterprise system to expedite delivery. Use the platform to standardize application system access to simplify platform changes and quicken development and testing.

    Recommendations

    Define your platform vision

    Organizations realize that a digital model is the way to provide more effective services to their customers and end users in a cost-effective, innovative, and engaging fashion. DOaaP is a way to help support this transition.

    However, various platform stakeholders will have different interpretations of and preferences for what this platform is intended to solve, what benefits it is supposed to deliver, and what capabilities it will deliver. A grounded vision is imperative to steer the roadmap and initiatives.

    Related Research:

    Assess and modernize your applications

    Certain applications may not sufficiently support the compatibility, flexibility, and efficiency requirements of DOaaP. While workaround technologies and tactics can be employed to overcome these application challenges, the full value of the DOaaP may not be realized.

    Reviewing the current state of the application portfolio will indicate the functional and value limitations of what DOaaP can provide and an indication of the scope of investment needed to bring applications up to a minimum state.

    Related Research:

    Recommendations

    Understand and evaluate end-user needs

    Technology has reached a point where it's no longer difficult for teams to build functional and valuable digital platforms. Rather, the difficulty lies in creating an interface and platform that people want to use and use frequently.

    While it is important to increase the access and promotion of all products and services, orchestrating and configuring them in a way to deliver a satisfying experience is even more important. Applications teams must first learn about and empathize with the needs of end users.

    Related Research:

    Architect your platform

    Formalizing and constructing DOaaP just for the sake of doing so often results in an initiative that is lengthy and costly and ends up being considered a failure.

    The build and optimization of the platform must be predicated on a thorough understanding of the DOaaP's goals, objectives, and priorities and the business capabilities and process they are meant to support and enable. The appropriate architecture and delivery practices can then be defined and employed.

    Related Research:

    CASE STUDY
    e-Estonia

    Situation

    The digital strategy of Estonia resulted in e-Estonia, with the vision of "creating a society with more transparency, trust, and efficiency." Estonia has addressed the challenge by creating structures, organizations, and a culture of innovation, and then using the speed and efficiency of digital infrastructure, apps, and services. This strategy can reduce or eliminate bureaucracy through transparency and automation.

    Estonia embarked on its journey to making digital a priority in 1994-1996, focusing on a committed investment in infrastructure and digital literacy. With that infrastructure in place, they started providing digital services like an e-banking service (1996), e-tax and mobile parking (2002), and then went full steam ahead with a digital information interoperability platform in 2001, digital identity in 2002, e-health in 2008, and e-prescription in 2010. The government is now strategizing for AI.

    Results

    This image contains the results of the e-Estonia case study results

    Source: e-Estonia

    Practices employed

    The e-Estonia digital government model serves as a reference for governments across the world; this is acknowledged by the various awards it has received, like #2 in "internet freedom," awarded by Freedom House in 2019; #1 on the "digital health index," awarded by the Bertelsmann Foundation in 2019; and #1 on "start-up friendliness," awarded by Index Venture in 2018.

    References

    "15th State of Agile Report." Digital.ai, 2021. Web.
    "2022 HR Trends Report." McLean & Company, 2022.
    "2022: State of Application Strategy Report." F5 Inc, 2022.
    "Are Executives Wearing Rose-Colored Glasses Around Digital Transformation?" Cyara, 2021. Web.
    "Cost of a Data Breach Report 2022." IBM, 2022. Web.
    Dalal, Vishal, et al. "Tech Debt: Reclaiming Tech Equity." McKinsey Digital, Oct. 2020. Web.
    "Differentiating Between Intelligent Automation and Hyperautomation." IBM, 15 October 2021. Web.
    "Digital Leadership Report 2021." Harvey Nash Group, 2021.
    "Digital Leadership Report 2022: The State of Digital." Nash Squared, 2022. Web.
    Gupta, Sunil. "Driving Digital Strategy: A Guide to Reimagining Your Business." Harvard Business Review Press, 2018. Web.
    Haff, Gordon. "State of Application Modernization Report 2022." Konveyor, 2022. Web.
    "IEEE Standard for Software Maintenance: IEEE Std 1219-1998." IEEE Standard for Software Maintenance, 1998. Accessed Dec. 2015.
    "Intelligent Automation." Cognizant, n.d. Web.
    "Kofax 2022: Intelligent Automation Benchmark Study". Kofax, 2021. Web.
    McCann, Leah. "Barco's Virtual Classroom at UCL: A Case Study for the Future of All University Classrooms?" rAVe, 2 July 2020, Web.
    "Proactive Staffing and Patient Prioritization to Decompress ED and Reduce Length of Stay." University Hospitals, 2018. Web.
    "Secrets of Successful Modernization." looksoftware, 2013. Web.
    "State of Software Development." Coding Sans, 2021. Web.
    "The State of Low-Code/No-Code." Creatio, 2021. Web.
    "We Have Built a Digital Society and We Can Show You How." e-Estonia. n.d. Web.
    Zanna. "The 5 Types of Experience Series (1): Brand Experience Is Your Compass." Accelerate in Experience, 9 February 2020. Web.
    Zhang, Y. et al. "Effects of Risks on the Performance of Business Process Outsourcing Projects: The Moderating Roles of Knowledge Management Capabilities." International Journal of Project Management, 2018, vol. 36 no. 4, 627-639.

    Research Contributors and Experts

    This is a picture of Chris Harrington

    Chris Harrington
    Chief Technology Officer
    Carolinas Telco Federal Credit Union

    Chris Harrington is Chief Technology Officer (CTO) of Carolinas Telco Federal Credit Union. Harrington is a proven leader with over 20 years of experience developing and leading information technology and cybersecurity strategies and teams in the financial industry space.

    This is a picture of Benjamin Palacio

    Benjamin Palacio
    Senior Information Technology Analyst County of Placer

    Benjamin Palacio has been working in the application development space since 2007 with a strong focus on system integrations. He has seamlessly integrated applications data across multiple states into a single reporting solution for management teams to evaluate, and he has codeveloped applications to manage billions in federal funding. He is also a CSAC-credentialed IT Executive (CA, USA).

    This is a picture of Scott Rutherford

    Scott Rutherford
    Executive Vice President, Technology
    LGM Financial Services Inc.

    Scott heads the Technology division of LGM Financial Services Inc., a leading provider of warranty and financing products to automotive OEMs and dealerships in Canada. His responsibilities include strategy and execution of data and analytics, applications, and technology operations.

    This is a picture of Robert Willatts

    Robert Willatts
    IT Manager, Enterprise Business Solutions and Project Services
    Town of Newmarket

    Robert is passionate about technology, innovation, and Smart City Initiatives. He makes customer satisfaction as the top priority in every one of his responsibilities and accountabilities as an IT manager, such as developing business applications, implementing and maintaining enterprise applications, and implementing technical solutions. Robert encourages communication, collaboration, and engagement as he leads and guides IT in the Town of Newmarket.

    This is a picture of Randeep Grewal

    Randeep Grewal
    Vice President, Enterprise Applications
    Red Hat

    Randeep has over 25 years of experience in enterprise applications, advanced analytics, enterprise data management, and consulting services, having worked at numerous blue-chip companies. In his most recent role, he is the Vice President of Enterprise Applications at Red Hat. Reporting to the CIO, he is responsible for Red Hat's core business applications with a focus on enterprise transformation, application architecture, engineering, and operational excellence. He previously led the evolution of Red Hat into a data-led company by maturing the enterprise data and analytics function to include data lake, streaming data, data governance, and operationalization of analytics for decision support.

    Prior to Red Hat, Randeep was the director of global services strategy at Lenovo, where he led the strategy using market data to grow Lenovo's services business by over $400 million in three years. Prior to Lenovo, Randeep was the director of advanced analytics at Alliance One and helped build an enterprise data and analytics function. His earlier work includes seven years at SAS, helping SAS become a leader in business analytics, and at KPMG consulting, where he managed services engagements at Fortune 100 companies.

    Grow Your Own PPM Solution

    • Buy Link or Shortcode: {j2store}436|cart{/j2store}
    • member rating overall impact (scale of 10): 9.6/10 Overall Impact
    • member rating average dollars saved: $47,944 Average $ Saved
    • member rating average days saved: 29 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • As portfolio manager, you’re responsible for supporting the intake of new project requests, providing visibility into the portfolio of in-flight projects, and helping to facilitate the right approval and prioritization decisions.
    • You need a project portfolio management (PPM) tool that promotes the maintenance and flow of good data to help you succeed in these tasks. However, while throwing expensive technology at bad process rarely works, many organizations take this approach to solve their PPM problems.
    • Commercial PPM solutions are powerful and compelling, but they are also expensive, complex, and hard to use. When a solution is not properly adopted, the data can be unreliable and inconsistent, defeating the point of purchasing a tool in the first place.

    Our Advice

    Critical Insight

    • Your choice of PPM solution must be in tune with your organizational PPM maturity to ensure that you are prepared to sustain the tool use without having the corresponding PPM processes collapse under its own weight.
    • A spreadsheet-based homegrown PPM solution can provide key capabilities of an optimized PPM solution with a high level of sophistication and complexity without the prohibitive capital and labor costs demanded by commercial PPM solution.
    • Focus on your PPM decision makers that will consume the reports and insights by investigating their specific reporting needs.

    Impact and Result

    • Think outside the commercial box. Develop an affordable, adoptable, and effective PPM solution using widely available tools based on Info-Tech’s ready-to-deploy templates.
    • Make your solution sustainable. When it comes to portfolio management, high level is better. A tool that is accurate and maintainable will provide more value than one that strives for precise data yet is ultimately unmaintainable.
    • Report success. A PPM tool needs to foster portfolio visibility in order to engage and inform the executive layer and support effective decision making.

    Grow Your Own PPM Solution Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should grow your own PPM solution, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Right-size your PPM solution

    Scope an affordable, adoptable, and effective PPM solution with Info-Tech's Portfolio Manager 2017 workbook.

    • Grow Your Own PPM Solution – Phase 1: Right-Size Your PPM Solution
    • Portfolio Manager 2017 Cost-in-Use Estimation Tool
    • None

    2. Get to know Portfolio Manager 2017

    Learn how to use Info-Tech's Portfolio Manager 2017 workbook and create powerful reports.

    • Grow Your Own PPM Solution – Phase 2: Meet Portfolio Manager 2017
    • Portfolio Manager 2017
    • Portfolio Manager 2017 (with Actuals)
    • None
    • None
    • None

    3. Implement your homegrown PPM solution

    Plan and implement an affordable, adoptable, and effective PPM solution with Info-Tech's Portfolio Manager 2017 workbook.

    • Grow Your Own PPM Solution – Phase 3: Implement Your PPM Solution
    • Portfolio Manager 2017 Operating Manual
    • Stakeholder Engagement Workbook
    • Portfolio Manager Debut Presentation for Portfolio Owners
    • Portfolio Manager Debut Presentation for Data Suppliers

    4. Outgrow your own PPM solution

    Develop an exit strategy from your home-grown solution to a commercial PPM toolset. In this video, we show a rapid transition from the Excel dataset shown on this page to a commercial solution from Meisterplan. Christoph Hirnle of Meisterplan is interviewed starting at 9 minutes.

    • None
    [infographic]

    Workshop: Grow Your Own PPM Solution

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Scope a Homegrown PPM Solution for Your Organization

    The Purpose

    Assess the current state of project portfolio management capability at your organization. The activities in this module will inform the next modules by exploring your organization’s current strengths and weaknesses and identifying areas that require improvement.

    Set up the workbook to generate a fully functional project portfolio workbook that will give you a high-level view into your portfolio.

    Key Benefits Achieved

    A high-level review of your current project portfolio capability is used to decide whether a homegrown PPM solution is an appropriate choice

    Cost-benefit analysis is done to build a business case for supporting this choice

    Activities

    1.1 Review existing PPM strategy and processes.

    1.2 Perform a cost-benefit analysis.

    Outputs

    Confirmation of homegrown PPM solution as the right choice

    Expected benefits for the PPM solution

    2 Get to Know Portfolio Manager 2017

    The Purpose

    Define a list of requirements for your PPM solution that meets the needs of all stakeholders.

    Key Benefits Achieved

    A fully customized PPM solution in your chosen platform

    Activities

    2.1 Introduction to Info-Tech's Portfolio Manager 2017: inputs, outputs, and the data model.

    2.2 Gather requirements for enhancements and customizations.

    Outputs

    Trained project/resource managers on the homegrown solution

    A wish list of enhancements and customizations

    3 Implement Your Homegrown PPM Solution

    The Purpose

    Determine an action plan regarding next steps for implementation.

    Implement your homegrown PPM solution. The activities outlined in this step will help to promote adoption of the tool throughout your organization.

    Key Benefits Achieved

    A set of processes to integrate the new homegrown PPM solution into existing PPM activities

    Plans for piloting the new processes, process improvement, and stakeholder communication

    Activities

    3.1 Plan to integrate your new solution into your PPM processes.

    3.2 Plan to pilot the new processes.

    3.3 Manage stakeholder communications.

    Outputs

    Portfolio Manager 2017 operating manual, which documents how Portfolio Manager 2017 is used to augment the PPM processes

    Plan for a pilot run and post-pilot evaluation for a wider rollout

    Communication plan for impacted PPM stakeholders

    Master the Public Cloud IaaS Acquisition Models

    • Buy Link or Shortcode: {j2store}228|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $3,820 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    Understanding the differences in IaaS platform agreements, purchasing options, associated value, and risks. What are your options for:

    • Upfront or monthly payments
    • Commitment discounts
    • Support options
    • Migration planning and support

    Our Advice

    Critical Insight

    IaaS platforms offer similar technical features, but they vary widely on their procurement model. By fully understanding the procurement differences and options, you will be able to purchase wisely, save money both long and short term, and mitigate investment risk.

    Most vendors have similar processes and options to buy. Finding a transparent explanation and summary of each platform in a side-by-side review is difficult.

    • Are vendor reps being straight forward?
    • What are the licensing requirements?
    • What discounts or incentives can I negotiate?
    • How much do I have to commit to and for how long?

    Impact and Result

    This project will provide several benefits for both IT and the business. It includes:

    • Best IaaS platform to support current and future procurement requirements.
    • Right-sized cloud commitment tailored to the organization’s budget.
    • Predictable and controllable spend model.
    • Flexible and reliable IT infrastructure that supports the lines of business.
    • Reduced financial and legal risk.

    Master the Public Cloud IaaS Acquisition Models Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to learn how the public cloud IaaS procurement models compare. Review Info-Tech’s methodology and understand the top three platforms, features, and benefits to support and inform the IaaS vendor choice.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Educate

    Learn the IaaS basics, terminologies, purchasing options, licensing requirements, hybrid options, support, and organization requirements through a checklist process.

    • Master the Public Cloud IaaS Acquisition Models – Phase 1: Educate
    • Public Cloud Procurement Checklist
    • Microsoft Public Cloud Licensing Guide

    2. Evaluate

    Review and understand the features, downsides, and differences between the big three players.

    • Master the Public Cloud IaaS Acquisition Models – Phase 2: Evaluate
    • Public Cloud Procurement Comparison Summary

    3. Execute

    Decide on a primary vendor that meets requirements, engage with a reseller, negotiate pricing incentives, migration costs, review, and execute the agreement.

    • Master the Public Cloud IaaS Acquisition Models – Phase 3: Execute
    • Public Cloud Acquisition Executive Summary Template

    Infographic

    Identify and Manage Operational Risk Impacts on Your Organization

    • Buy Link or Shortcode: {j2store}230|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    More than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.

    A new threat will impact your organization's operations at some point. Make sure your plans are flexible enough to manage the inevitable consequences and that you understand where those threats may originate.

    Our Advice

    Critical Insight

    • Identifying and managing a vendor’s potential operational impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect operations.
    • Organizational leadership is often taken unaware during crises, and their plans lack the flexibility to adjust to significant market upheavals.

    Impact and Result

    Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them.

    • Prioritize and classify your vendors with quantifiable, standardized rankings.
    • Prioritize focus on your high-risk vendors.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Operational Risk Impact Tool.

    Identify and Manage Operational Risk Impacts on Your Organization Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify and Manage Operational Risk Impacts to Your Organization Storyboard – Use this research to better understand the negative impacts of vendor actions to your brand reputation.

    Use this research to identify and quantify the potential operational impacts caused by vendors. Utilize Info-Tech's approach to look at the operational impact from various perspectives to better prepare for issues that may arise.

    • Identify and Manage Operational Risk Impacts to Your Organization Storyboard

    2. Operational Risk Impact Tool – Use this tool to help identify and quantify the operational impacts of negative vendor actions.

    By playing the “what if” game and asking probing questions to draw out – or eliminate - possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    • Operational Risk Impact Tool
    [infographic]

    Further reading

    Identify and Manage Operational Risk Impacts on Your Organization

    Understand internal and external vendor risks to avoid potential disaster.

    Analyst perspective

    Organizations need to be aware of the operational damage vendors may cause to plan around those impacts effectively.

    Frank Sewell

    Organizations must be mindful that operational risks come from internal and external vendor sources. Missing either component in the overall risk assessment can significantly impact day-to-day business processes that cost revenue, delay projects, and lead to customer dissatisfaction.

    Frank Sewell,

    Research Director, Vendor Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    More than any other time, our world is changing rapidly. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.

    A new threat will impact your organization's operations at some point. Make sure your plans are flexible enough to manage the inevitable consequences and that you understand where those threats may originate.

    Common Obstacles

    Identifying and managing a vendor’s potential operational impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect operations.

    Organizational leadership is often taken unaware during crises, and their plans lack the flexibility to adjust to significant market upheavals.

    Info-Tech's Approach

    Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them.

    Prioritize and classify your vendors with quantifiable, standardized rankings.

    Prioritize focus on your high-risk vendors.

    Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Operational Risk Impact Tool.

    Info-Tech Insight

    Organizations must evolve their risk assessments to be more adaptive to respond to threats in the market. Ongoing monitoring of the vendors tied to company operations, and understanding where those vendors impact your operations, is imperative to avoiding disasters.

    Info-Tech’s multi-blueprint series on vendor risk assessment

    There are many individual components of vendor risk beyond cybersecurity.

    There are many components to vendor risk, including: Financial, Reputational, Operational, Strategic, Security, Regulatory & Compliance.

    This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

    Out of Scope:
    This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

    Operational risk impacts

    Potential losses to the organization due to incidents that affect operations.

    • In this blueprint we’ll explore operational risks, particularly from third-party vendors, and their impacts.
    • Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to identify, manage, and monitor vendor performance.
    Operational

    The world is constantly changing

    The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

    When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

    Below are some things no one expected to happen in the last few years:

    27%

    Businesses are changing their internal processes around TPRM in response to the Pandemic.

    70%

    Of organizations attribute a third-party breach to too much privileged access.

    85%

    Of breaches involved human factors (phishing, poor passwords, etc.).

    Assess internal and external operational risk impacts

    Due diligence and consistent monitoring are the keys to safeguarding your organization.

    Two sides of the Same Coin

    Internal

    • Poorly vetted supplemental staff
    • Bad system configurations
    • Lack of relevant skills
    • Poor vendor performance
    • Failure to follow established processes
    • Weak contractual accountability
    • Unsupportable or end-of-life system components

    External

    • Cyberattacks
    • Supply Chain Issues
    • Geopolitical Disruptions
    • Vendor Acquisitions
    • N-Party Non-Compliance
    • Vendor Fraud

    Operational risk is the risk of losses caused by flawed or failed processes, policies, systems, or events that disrupt business operations.

    - Wikipedia

    Internal operational risk

    Vendors operating within your secure perimeter can open your organization to substantial risk.

    Frequently monitor your internal process around vendor management to ensure safe operations.

    • Poorly vetted supplemental staff
    • Bad system configurations
    • Lack of relevant skills
    • Poor vendor performance
    • Failure to follow established processes
    • Weak contractual accountability
    • Unsupportable or end-of-life system components

    Info-Tech Insight

    You may have solid policies, but if your employees and vendors are not following them, they will not protect the organization.

    External operational risks

    • Cyberattacks
    • Supplier issues and geopolitical instability
    • Vendor acquisitions
    • N-party vendor non-compliance

    Identify and manage operational risks

    Poorly configured systems

    Failing to ensure that your vendor-supported systems are properly configured and that your vendors are meeting your IT change control and configuration standards is more commonplace than expected. Proper oversight and management of your support vendors are crucial to ensure they are meeting expectations in this regard.

    Failure to follow processes

    Most companies have policies and procedures around IT change and configuration control, security standards, risk management, vendor performance standards, etc. While having these processes is a good start, failure to perform continuous monitoring and management of these leads to increased risks of incidents.

    Supply chain disruptions

    Awareness of the supply chain's complications, and each organization's dependencies, are increasing for everyone. However, most organizations still do not understand the chain of n-party vendors that support their specific vendors or how interruptions in their supply chains could affect them. The 2022 Toyota shutdown due to Kojima is a perfect example of how one essential parts vendor could shut down your operations.

    What to look for

    Identify operational risk impacts

    • Does the vendor have a business continuity plan they will share for your review?
    • Is the vendor operating on old hardware that may be out of warranty or at end of life?
    • Is the vendor operating on older software or shareware that may lack the necessary patches?
    • Does the vendor self-audit, or do they use a vetted third-party audit firm to issue a SOC report annually?
    • Does the vendor have sufficient personnel in acceptable regions to support your operations?
    • Is the vendor willing to make concessions on contractual protections, or are they only offering “one-sided” agreements with “as-is” warranties?

    Operational risks

    Not knowing where your risks come from creates additional risks to operations.

    • Supply chain disruptions and global shortages.
      • Geopolitical disruptions and natural disasters have caused unprecedented interruptions to business. Do you know where your critical vendors are getting their supplies? Are you aware of their business continuity plans to accommodate for those interruptions?
    • Poor vendor performance.
      • Organizations need to understand where vendors are acting in their operations and manage the impact of replacing that vendor and cutting their losses rather than continuing to throw good money away after a bad performance.
    • Vendor acquisitions.
      • A lot of acquisition is going on in the market today. Large companies are buying competitors, imposing new terms on customers, or removing competing products from the market. Understand your options if a vendor is acquired by a company with which you do not wish to be in a relationship.

    It is important to identify where potential risks to your operations may come from to manage and potentially eliminate them from impacting your organization.

    Info-Tech Insight

    Most organizations realize that their vendors could operationally affect them if an incident occurs. Still, they fail to follow the chain of events that might arise from those incidents to understand the impact fully.

    Prepare your vendor risk management for success

    Due diligence will enable successful outcomes.

    1. Obtain top-level buy-in; it is critical to success.
    2. Build enterprise risk management (ERM) through incremental improvement.
    3. Focus initial efforts on the “big wins” to prove the process works.
    4. Use existing resources.
    5. Build on any risk management activities that already exist in the organization.
    6. Socialize ERM throughout the organization to gain additional buy‑in.
    7. Normalize the process long term with ongoing updates and continuing education for the organization.

    How to assess third-party operational risk

    1. Review Organizational Operations

      Understand the organization’s operational risks to prepare for the “what if” game exercise.
    2. Identify and Understand Potential Operational Risks

      Play the “what if” game with the right people at the table.
    3. Create a Risk Profile Packet for Leadership

      Pull all the information together in a presentation document.
    4. Validate the Risks

      Work with leadership to ensure that the proposed risks are in line with their thoughts.
    5. Plan to Manage the Risks

      Lower the overall risk potential by putting mitigations in place.
    6. Communicate the Plan

      It is important not only to have a plan but also to socialize it in the organization for awareness.
    7. Enact the Plan

      Once the plan is finalized and socialized, put it in place with continued monitoring for success.

    Insight summary

    Operational risk impacts often come from unexpected places and have unforeseen impacts. Knowing where your vendors place in critical business processes and those vendors' business continuity plans concerning your organization should be a priority for those who manage the vendors.

    Insight 1

    Organizations fail to plan for vendor acquisitions appropriately.

    Vendors routinely get acquired in the IT space. Does your organization have appropriate safeguards from inadvertently entering a negative relationship? Do you have plans around replacing critical vendors purchased in such a manner?

    Insight 2

    Organizations often fail to understand how they factor into a vendor’s business continuity plan.

    If one of your critical vendors goes down, do you know how they intend to re-establish business? Do you know how you factor into their priorities?

    Insight 3

    Organizations need to have a comprehensive understanding of how their vendor-managed systems integrate with Operations.

    Do you understand where in the business processes vendor-supported systems lie? Do you have contingencies around disruptions that account for those pieces missing from the process?

    Identifying operational vendor risk

    Who should be included in the discussion

    • While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
    • Getting input from operational experts at your organization will enhance your organization's long-term potential for success.
    • Involving those who not only directly manage vendors but also understand your business processes will aid in determining the forward path for relationships with your current vendors and identifying new emerging potential partners.

    See the blueprint Build an IT Risk Management Program

    Review your operational plans for new risks on a regular basis.

    Keep in mind Risk = Likelihood x Impact (R=L*I).

    Impact (I) tends to remain the same, while Likelihood (L) is becoming closer to 100% as threat actors become more prevalent

    Managing vendor operational risk impacts

    What can we realistically do about the risks?

    • Review vendors’ business continuity plans and disaster recovery testing.
      • Understand your priority in their plans.
    • Institute proper contract lifecycle management.
      • Make sure to follow corporate due diligence and risk assessment policies and procedures.
      • Failure to do so consistently can be a recipe for disaster.
    • Develop IT governance and change control.
    • Introduce continual risk assessment to monitor the relevant vendor markets.
      • Regularly review your operational plans for new risks and evolving likelihoods.
      • Risk = Likelihood x Impact (R=L*I).
        • Impact (I) tends to remain the same and be well understood, while Likelihood (L) may often be considered 100%.
    • Be adaptable and allow for innovations that arise from the current needs.
      • Capture lessons learned from prior incidents to improve over time and adjust your plans accordingly.

    Organizations need to review their organizational risk plans, considering the placement of vendors in their operations.

    Pandemics, extreme weather, and wars that affect global supply chains are current realities, not unlikely scenarios.

    Ongoing improvement

    Incorporating lessons learned

    • Over time, despite everyone’s best observations and plans, incidents will catch us off guard.
    • When it happens, follow your incident response plans and act accordingly.
    • An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
    • Use the lessons learned document to devise, incorporate, and enact a better risk management process.

    Sometimes disasters occur despite our best plans to manage them.

    When this happens, it is important to document the lessons learned and improve our plans going forward.

    The "what if" game

    1-3 hours

    Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    • Break into smaller groups (or if too small, continue as a single group).
    • Use the Operational Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
    • Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

    Download the Operational Risk Impact Tool

    Input

    • List of identified potential risk scenarios scored by likelihood and operational impact
    • List of potential management of the scenarios to reduce the risk

    Output

    • Comprehensive operational risk profile on the specific vendor solution

    Materials

    • Whiteboard/flip charts
    • Operational Risk Impact Tool to help drive discussion

    Participants

    • Vendor Management – Coordinator
    • Organizational Leadership
    • Operations Experts (SMEs)
    • Legal/Compliance/Risk Manager

    High risk example from tool

    Sample Questions to Ask to Identify Impacts. Lists questions impact score, weight, question and comments or notes.

    Being overly reliant on a single talented individual can impose risk to your operations. Make sure you include resiliency in your skill sets for critical business practices.

    Impact score and level. Each score for impacts are unique to the organization.

    Low risk example from tool

    Sample Questions to Ask to Identify Impacts. Lists questions impact score, weight, question and comments or notes. Impact score and level. Each score for impacts are unique to the organization.

    Summary

    Seek to understand all aspects of your operations.

    • Organizations need to understand and map out where vendors are critical to their operations.
    • Those organizations that consistently follow their established risk assessment and due diligence processes will be better positioned to avoid disasters.
    • Bring the right people to the table to outline potential risks in the market and your organization.
    • Understand how your vendors prioritize your organization in their business continuity processes.
    • Incorporate “lessons learned” from prior incidents into your risk management process to build better plans for future issues.

    Organizations must evolve their operational risk assessments considering their vendor portfolio.

    Ongoing monitoring of the market and the vendors tied to company operations is imperative to avoiding disaster.

    Related Info-Tech Research

    Identify and Manage Financial Risk Impacts on Your Organization

    • Vendor management practices educate organizations on the different potential financial impacts that vendors may incur and suggest systems to help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

    Identify and Manage Reputational Risk Impacts on Your Organization

    • Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your reputation and brand with our Reputational Risk Impact Tool.

    Identify and Manage Strategic Risk Impacts on Your Organization

    • Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Risk Impact Tool.

    Bibliography

    “Weak Cybersecurity is taking a toll on Small Businesses.” Tripwire. August 7, 2022.

    SecureLink 2022 White Paper SL_Page_EA+PAM (rocketcdn.me)

    Member Poll March 2021 "Guide: Evolving Work Environments Impact of Covid-19 on Profile and Management of Third Parties.“ Shared Assessments. March 2021.

    “Operational Risk.” Wikipedia.

    Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, August 23, 2012.

    Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.

    The Rapid Application Selection Framework

    • Buy Link or Shortcode: {j2store}608|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $37,512 Average $ Saved
    • member rating average days saved: 22 Average Days Saved
    • Parent Category Name: Selection & Implementation
    • Parent Category Link: /selection-and-implementation
    • Selection takes forever. Traditional software selection drags on for years, sometimes in perpetuity.
    • IT is viewed as a bottleneck and the business has taken control of software selection.
    • “Gut feel” decisions rule the day. Intuition, not hard data, guides selection, leading to poor outcomes.
    • Negotiations are a losing battle. Money is left on the table by inexperienced negotiators.
    • Overall: Poor selection processes lead to wasted time, wasted effort, and applications that continually disappoint.

    Our Advice

    Critical Insight

    • Adopt a formal methodology to accelerate and improve software selection results.
    • Improve business satisfaction by including the right stakeholders and delivering new applications on a truly timely basis.
    • Kill the “sacred cow” requirements that only exist because “it’s how we’ve always done it.”
    • Forget about “RFP” overload and hone in on the features that matter to your organization.
    • Skip the guesswork and validate decisions with real data.
    • Take control of vendor “dog and pony shows” with single-day, high-value, low-effort, rapid-fire investigative interviews.
    • Master vendor negotiations and never leave money on the table.

    Impact and Result

    Improving software selection is a critical project that will deliver huge value.

    • Hit a home run with your business stakeholders: use a data-driven approach to select the right application vendor for their needs – fast.
    • Shatter stakeholder expectations with truly rapid application selections.
    • Boost collaboration and crush the broken telephone with concise and effective stakeholder meetings.
    • Lock in hard savings and do not pay list price by using data-driven tactics.

    The Rapid Application Selection Framework Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. The Rapid Application Selection Framework

    • The Rapid Application Selection Framework Deck

    2. The Guide to Software Selection: A Business Stakeholder Manual

    • The Guide to Software Selection: A Business Stakeholder Manual

    3. The Software Selection Workbook

    • The Software Selection Workbook

    4. The Vendor Evaluation Workbook

    • The Vendor Evaluation Workbook
    [infographic]

    Demystify the New PMBOK Guide and PMI Certifications

    • Buy Link or Shortcode: {j2store}446|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • There is lots of confusion with the latest edition of A Guide to The Project Management Body of Knowledge (PMBOK Guide).
    • The Project Management Professional (PMP) certification is not satisfying the needs of PMOs.
    • There is still a divide on whether the focus should be on the PMP or an Agile-related certification.
    • The PMP certification has lost its sizzle while other emerging certifications have started to penetrate the market. It’s hard to distinguish which certifications still hold weight.

    Our Advice

    Critical Insight

    • The PMP certification is still valuable and worth your time in 2023.
    • There are still over a million active PMP-certified individuals worldwide.
    • PMP can make you more money.

    Impact and Result

    • Study the market trends for certification options as they emerge and evolve.
    • Go with longstanding, reputable certifications, but be ready to pivot if they are not adding value.
    • Look at the job market as an indicator of certification demands.
    • There are a lot of certification options out there, and every day there seems to be a new one that pops up. Wait and see how the market reacts before investing your time and money in a new certification.

    Demystify the New PMBOK Guide and PMI Certifications Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Demystify the New PMBOK and PMI Certifications Storyboard – A guide to validate if the PMP is still valuable. It will also provide clarity related to the updated PMBOK 7th edition.

    This publication will validate if the PMP certification is still valuable and worth your time. In addition, you will gain different perspectives related to other PMI and non-PMI certifications. You will gain a better understanding of the evolution of the PMBOK Guide, and the significant changes made from PMBOK 6th edition to the 7th edition.

    • Demystify the New PMBOK and PMI Certifications Storyboard
    [infographic]

    Further reading

    Demystify the New PMBOK Guide and the PMI Certifications

    The PMP certification is still valuable and worth your time in 2023.

    Analyst Perspective

    The PMP (Project Management Professional) certification is still worth your time.

    Long Dam

    I often get asked, “Is the PMP worth it?” I then proceed with a question of my own: “If it gets you an interview or a foot in the door or bolsters your salary, would it be worth it?” Typically, the answer is a resounding “YES!”

    CIO magazine ranked the PMP as the top project management certification in North America because it demonstrates that you have the specific skills employers seek, dedication to excellence, and the capacity to perform at the highest levels.

    Given its popularity and the demand in the marketplace, I strongly believe it is still worth your time and investment. The PMP is a globally recognized certification that has dominated for decades. It is hard to overlook the fact that the Project Management Institute (PMI) has more than 1.2 million PMP certification holders worldwide and is still considered the gold standard for project management.

    Yes, it’s worth it. It gets you interviews, a foot in the door, and bolsters your salary. Oh, and it makes you a more complete project manager.

    Long Dam, PMP, PMI-ACP, PgMP, PfMP

    Principal Research Director, Project Portfolio Management Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • There is lots of confusion with the latest A Guide to The Project Management Body of Knowledge (aka PMBOK Guide).
    • The Project Management Professional (PMP) certification is not satisfying the needs of PMOs.
    • There is still a divide on whether the focus should be on the PMP or an Agile-related certification.

    The PMP certification has lost its sizzle while other emerging certifications have started to penetrate the market. It’s hard to distinguish which certification still holds weight.

    Common Obstacles

    • Poor understanding and lack of awareness of other PMI certifications outside of the PMP.
    • There are too many competing certifications out there, and it’s hard to decipher which ones to choose.
    • PMI certifications typically take a lot of effort to obtain and maintain.

    There are other, less intensive certifications available. It’s unclear what will be popular in the future.

    Info-Tech's Approach

    • Study the market trends for certification options as they emerge and evolve.
    • Go with longstanding reputable certifications, but be ready to pivot if they are not adding value.
    • Look at the job market as an indicator for certification demands.

    There are a lot of certification options out there, and every day there seems to be a new one that pops up. Wait and see how the market reacts before investing your time and money in a new certification.

    Info-Tech Insight

    The PMP certification is still valuable and worthy of your time in 2023.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guide Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or knowledge to take this project on. We need assistance through the entirety of the this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    The PMP dominated the market for decades and got over 1 million people certified

    Total active project management professional holders from December 2021 versus July 2022

    Info-Tech Insight

    The PMI’s flagship PMP certification numbers have not significantly increased from 2021 to 2022. However, PMP substantially outpaces all competitors with over 1.2 million certified PMPs.

    Source: projectmanagement.com

    The PMP penetrated over 200 countries

    PMP is the global project management gold standard.

    • CIO magazine ranked the PMP as the top project management certification because it demonstrates you have the specific skills employers seek, dedication to excellence, and the capacity to perform at the highest levels.
    • It delivers real value in the form of professional credibility, deep knowledge, and increased earning potential. Those benefits have staying power.
    • The PMP now includes predictive, Agile, and hybrid approaches.
    • The PMP demonstrates expertise across the wide array of planning and work management styles.

    Source: PMI, “PMP Certification.” PMI, “Why You Should Get the PMP.”

    The PMP was valuable in the past specifically because it was the standard

    79% of project managers surveyed have the PMP certification out of 30,000 respondents in 40 countries.

    The PMP became table stakes for jobs in project management and PMO’s.

    Work desk with project management written in middle. Arrows point to: Goals, planning, risks, control, teamwork, cost, communication, and problem solving.

    Source: PMI’s Earning Power: Project Management Salary Survey—Twelfth Edition (2021)

    The PMP put itself on a collision course with Agile

    • The Agile Certified Practitioner (PMI-ACP) was introduced in 2012 which initially clashed with the PMP for project management supremacy from the PMI.
    • Then the Disciplined Agile (DA) was introduced in 2019, which further compounded the issue and caused even more confusion with both the PMP and the PMI-ACP certification.
    • Instead of complementing the PMP, these certifications began to inadvertently compete with it head-to-head.

    There is a new PMBOK Guide Seventh Edition in town

    The PMI made its most significant changes between 2017 and 2021.

    Chart showing editions of the PMBOK guide from 1996 to 2021.

    Timeline adapted from Wikipedia, “Project Management Body of Knowledge.”

    Roughly every 3-5 years, the PMI has released a new PMBOK version. It’s unclear if there will be an eighth edition.

    The market got confused by PMBOK Guide – Seventh Edition

    PMBOK guide version 5 considered the gold standard, version 6 first included Agile and version 7 was the most radical change.

    • Die-hard traditional project managers have a hard time grasping why the PMI messed around with the PMBOK Guide. There is sentiment that the PMBOK Guide V7 got diluted.
    • Naysayers do not think that the PMBOK Guide V7 hit the mark and found it to be a concession to Agilists.
    • The PMBOK Guide V7 was significantly trimmed down by almost two-thirds to 274 pages whereas the PMBOK V6 ballooned to 756 pages!
    • Some Agile practitioners found this to be a refreshing, bold move from the PMI. Most, however, ignored or resisted it.
    PMBOK Guide: A guide to the Project Management Body of Knowledge Seventh Edition.  AND The Standard for Project Management.

    PMBOK Guide – Seventh edition released in 2021

    • The PMBOK Guide – Seventh Edition was released in late 2021. It was the most radical change since 1987. For the first time, the PMI went from a process-based standard to a principles-based standard, and the guide went from knowledge areas to project performance domains. This may have diluted the traditional predictive project management practices. However, it was offset by incorporating more iterative, Agile, and hybrid approaches.
    • The market is confused and is clearly shifting toward Agile and away from the rigor that is typically associated with the PMI.
    • The PMI transitioned most of the process-based standards & ITTO to their new digital PMIStandards+ online platform, which can be found here (access for PMI members only).
    • The PMBOK Guide is not the sole basis of the certification exam; however, it can be used as one of several reference resources. Using the exam content outline (ECO) is the way forward, which can be found here.

    The Agile certification seems to be the focus for the PMI in the coming years

    • The PMI started to get into the Agile game with the introduction of Agile certifications, which is where all the confusion started. Although the PMI-ACP & the DASM have seen a steady uptake recently, it appears to be at the expense of the PMP certification.
    • The PMI acquired the Discipline Agile (DA) in late 2019, which expanded their offerings and capabilities for project managers and teams to choose their “way of working.”
    • This was an important milestone for the PMI to address the new way of working for Agile practitioners with this offering to provide more options and to better support enterprise agility.
    PMI-ACP & the DASM have seen a steady uptake recently.

    Source: projectmanagement.com as of July 2022

    The PMI has lost more certified PMPs than they have gained so far in 2022

    The PMI has lost more certified PMPs than they have gained so far in 2022.

    PMP

    PMP – Project Management Professional

    It is a concerning trend that their bread and butter, the PMP flagship certification, has largely stalled in 2022. We are unsure if this was attributed to them being displaced by competitors such as the Agile Alliance, their own Agile offerings, or the market’s lackluster reaction to PMBOK Guide – Seventh Edition.

    Source: projectmanagement.com as of July 2022

    The PMI’s total memberships have stalled since September 2021

    The PMIs total memberships have stalled since September 2021.

    PMI: Project Management Insitute

    The PMI’s membership appears to have a direct correlation to the PMP numbers. As the PMP number stalls, so do the PMI’s memberships.

    Source: projectmanagement.com as of July 2022

    The PMP and the PMBOK Guide are more focused on project management

    The knowledge and skills were not all that helpful for running programs, portfolios, and PMOs.
    • It became evident that other certifications were more tightly aligned to program and portfolio management for the PMOs. The PMI provides the following:
      • Program Management Professional (PgMP)
      • Portfolio Management Professional (PfMP)
    • Axelos also has certifications for program management and portfolio management, such as:
      • Managing Successful Programmes (MSP)
      • Management of Portfolios (MoP)
      • Portfolio, Programme, and Project Offices (P3O)

    The market didn’t know what to do with the PgMP or the PfMP

    These were relatively unknown certifications for Program and Portfolio Management.

    • The PMI’s story was that you would start as a project manager with the PMP certification and then the natural progression would be toward either Program Management (PgMP) or Portfolio Management (PfMP).
    • The uptake for the PgMP and the PfMP certification has been insignificant and underwhelming. The appetite and the demand for PMO-aligned certifications has been lackluster since their inception.
    PgMP - Program Management Professional and PfMP - Portfolio Management Professioanal Certifications are relatively unkown. PgMP only has 3780 members since 2007, and PfMP has 1266 since 2014.

    Source: projectmanagement.com as of July 2022

    There are other non-PMI certifications to consider

    Depending on your experience level

    List of non-PMI certifications based on specialization. List of non-PMI certifications based on years of experience.  Divided into 3 categories: 0-3 years, 3+ years, and 8+ years of experience.

    Other non-PMI project management certifications

    Non-PMI project management certifications

    PRINCE2 and CSM appear to be the more popular ones in the market.

    In April 2022, CIO.com outlined other popular project management certifications outside of the PMI.

    Source: CIO.com

    Project managers have an image problem among senior leaders

    There is a perception that PMs are just box-checkers and note-takers.

    • Project managers are seen as tactical troubleshooters rather than strategic partners. This suggests a widespread lack of understanding of the value and impact of project management at the C-suite level.
    • Very few C-suite executives associate project managers with "realizing visions," being "essential," or being "changemakers."
    • Strong strategic alignment between the PMO and the C-suite helps to reinforce the value of project management capabilities in achieving wider strategic aims.

    Source: PMI, Narrowing The Talent Gap, 2021

    Hiring practices have yet to change in response to the PMI’s moves

    The PMP is still the standard, even for organizations transitioning to Agile and PMO/portfolio jobs.

    • Savvy business leaders are still unsure about how Agile will impact them in the long term.
    • According to the Narrowing the Talent Gap report, PMI and PwC’s latest global research indicates that talent strategies haven’t changed much. There’s a widespread lack of focus on developing and retaining existing project managers, and a lack of variety and innovation in attracting and recruiting new talent. The core problem is that there isn’t a business case for investment in talent.

    Noteworthy Agile certifications to consider

    AGILE Certified Practioner(PMI-ACP) and Certified ScrumMaster(CSM) certification details.

    Source: PMI, “Agile Certifications,” and ScrumAlliance, “Become a Certified ScrumMaster.”

    Info-Tech Insight

    There is a lot of chatter about which Agile certification is better, and the jury is still out with no consensus. There are pros and cons to both certifications. We believe the PMI-ACP will give you more mileage and flexibility because of its breath of coverage in the Agile practice compared to the CSM.

    The talent shortage is a considerable risk to organizations

    • According to the PMI’s 2021 Talent Gap report1, the talent gap is likely to impact every region. By 2030, at least 13 million project managers are expected to have retired, creating additional challenges for recruitment. To close the gap, 25 million new project professionals are needed by 2030.
    • Young project managers will change the profession. Millennials and Generation Z are bringing fresh perspectives to projects. Learning to work alongside these younger generations isn't optional, as they increasingly dominate the labor force and extend their influence.
    • Millennials have already arrived: According to Pew Research2, this group surpassed Gen X in 2016 and is now the largest generation in the US labor force.

    1. PMI, Talent Gap, 2021.
    2. PM Network, 2019.

    Money talks – the PMP is still your best payoff

    It is a financially rewarding profession!

    The median salary for PMP holders in the US is 25% higher than those without PMP certification.

    On a global level, the Project Management Professional (PMP) certification has been shown to bolster salary levels. Holders of the PMP certification report higher median salaries than those without a PMP certification – 16% higher on average across the 40 countries surveyed.

    Source: PMI, Earning Power, 2021

    Determine which skills and capabilities are needed in the coming years

    • A scan of 2022 PM and PMO postings still shows continued dominance of the PMP certification requirement.
    • People and relationships have become more important than predicting budgets and timelines.
    • The PMI and PwC Global Survey on Transformation and Project Management 2021 identified the top five skills/capabilities for project managers (in order of priority):
      1. Relationship building
      2. Collaborative leadership
      3. Strategic thinking
      4. Creative problem solving
      5. Commercial awareness

    Source: PMI, Narrowing The Talent Gap, 2021.

    Prepare for product delivery by focusing on top digital-age skills

    According to the PMI Megatrends 2022 report, they have identified six areas as the top digital-age skills for product delivery:

    1. Innovative mindset
    2. Legal and regulatory compliance knowledge
    3. Security and privacy knowledge
    4. Data science skills
    5. Ability to make data-driven decisions
    6. Collaborative leadership skills

    Many organizations aren’t considering candidates who don’t have project-related qualifications. Indeed, many more are increasing the requirements for their qualifications than those who are reducing it.

    Source: PMI, Narrowing The Talent Gap, 2021

    Prioritize training and development at the C-suite level

    Currently, there is an imbalance with more emphasis of training on tools, processes, techniques, and methodologies rather than business acumen skills, collaboration, and management skills. With the explosion of remote work, training needs to be revamped and, in some cases, redesigned altogether to accommodate remote employees.

    Train of gears Labeled: Training. Gears from left to right are labeled: Knowledge, coaching, skills, developement, and experience.

    Lack of strategic prioritization is evident in how training and development is being done, with organizations largely not embracing a diversity of learning preferences and opportunities.

    Source: PMI, Narrowing The Talent Gap, 2021

    PM is evolving into a more strategic role

    • Ensure program and portfolio management roles are supported by the most appropriate certifications.
    • For project managers that have evolved beyond the iron triangle of managing projects, there is applicability to the PgMP and the PfMP for program managers, portfolio managers, and those in charge of PMOs.
    • Although these certifications have not been widely adopted due to lack of awareness and engagement at the decision-maker level, they still hold merit and prestige within the project management community.

    Project managers are evolving. No longer creatures of scope, schedule, and budget alone, they are now – enabled by new technology – focusing on influencing outcomes, building relationships, and achieving the strategic goals of their organizations.

    Source: PMI, Narrowing the Talent Gap, 2021

    Overhaul your recruitment practices to align with skills/capabilities

    World map with cartoon profile images, linked in a network.

    Talent managers will need to retool their toolbox to fill the capability gap and to look beyond where the role is geographically based by embracing flexible staffing models.

    They will need to evolve their talent strategies in line with changing business priorities.

    Organizations should be actively working to increase the diversity of candidates and upskilling young people in underrepresented communities as a priority.

    Most organizations are still relying on traditional approaches to recruit talent. Although we are prioritizing power skills and business acumen, we are still searching in the same, shrinking pool of talent.

    Source: PMI, Narrowing the Talent Gap, 2021.

    Bibliography

    “Agile Certifications for Every Step in Your Career.” PMI. Web.

    “Become a Certified ScrumMaster and Help Your Team Thrive.” ScrumAlliance. Web.

    “Become a Project Manager.” PMI. Accessed 14 Sept. 2022.

    Bucero, A. “The Next Evolution: Young Project Managers Will Change the Profession: Here's What Organizations Need to Know.” PM Network, 2019, 33(6), 26–27.

    “Certification Framework.” PMI. Accessed 14 Sept. 2022.

    “Certifications.” PMI. Accessed 14 Sept. 2022.

    DePrisco, Mike. Global Megatrends 2022. “Foreword.” PMI, 2022. Accessed 14 Sept. 2022.

    Earning Power: Project Management Salary Survey. 12th ed. PMI, 2021. Accessed 14 Sept. 2022.

    “Global Research From PMI and PwC Reveals Attributes and Strategies of the World’s Leading Project Management Offices.” PMI, 1 Mar. 2022. Press Release. Accessed 14 Sept. 2022.

    Narrowing the Talent Gap. PMI, 2021. Accessed 14 Sept. 2022.

    “PMP Certification.” PMI. Accessed 4 Aug. 2022.

    “Project Management Body of Knowledge.” Wikipedia, Wikimedia Foundation, 29 Aug. 2022.

    “Project Portfolio Management Pulse Survey 2021.” PwC. Accessed 30 Aug. 2022.

    Talent Gap: Ten-Year Employment Trends, Costs, and Global Implications. PMI. Accessed 14 Sept. 2022.

    “The Critical Path.” ProjectManagement.com. Accessed 14 Sept. 2022.

    “True Business Agility Starts Here.” PMI. Accessed 14 Sept. 2022.

    White, Sarah K. and Sharon Florentine. “Top 15 Project Management Certifications.” CIO.com, 22 Apr. 2022. Web.

    “Why You Should Get the PMP.” PMI. Accessed 14 Sept. 2022.

    Build an Information Security Strategy

    • Buy Link or Shortcode: {j2store}242|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $45,303 Average $ Saved
    • member rating average days saved: 34 Average Days Saved
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Many security leaders struggle to decide how to best to prioritize their scarce information security resources
    • The need to move from a reactive approach to security towards a strategic planning approach is clear. The path to getting there is less so.

    Our Advice

    Critical Insight

    The most successful information security strategies are:

    • Holistic – They consider the full spectrum of information security, including people, processes, and technology.
    • Risk aware – They understand that security decisions should be made based on the security risks facing their organization, not just on “best practice.”
    • Business aligned – They demonstrate an understanding of the goals and strategies of the organization and how the security program can support the business.

    Impact and Result

    • Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for more than seven years with hundreds of different organizations:
    • This approach includes tools for:
      • Ensuring alignment with business objectives.
      • Assessing organizational risk and stakeholder expectations.
      • Enabling a comprehensive current state assessment.
      • Prioritizing initiatives and building out a security roadmap.

    Build an Information Security Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Information Security (IS) Strategy Research – A step-by-step document that helps you build a holistic, risk-based, and business-aligned IS strategy.

    Your security strategy should not be based on trying to blindly follow best practices but on a holistic risk-based assessment that is risk aware and aligns with your business context. Use this storyboard to augment your security strategy by ensuring alignment with business objectives, assessing your organization's risk and stakeholder expectations, understanding your current security state, and prioritizing initiatives and a security roadmap.

    • Build an Information Security Strategy – Phases 1-4

    2. Information Security Requirements Gathering Tool – A tool to make informed security risk decisions to support business needs.

    Use this tool to formally identify business goals and customer and compliance obligations and make explicit links to how security initiatives propose to support these business interests. Then define the scope and boundaries for the security strategy and the risk tolerance definitions that will guide future security risk decisions.

    • Information Security Requirements Gathering Tool

    3. Information Security Pressure Analysis Tool – An evaluation tool to invest in the right security functions using a pressure analysis approach.

    Security pressure posture analysis helps your organization assess your real security context and enables you to invest in the right security functions while balancing the cost and value in alignment with business strategies. Security pressure sets the baseline that will help you avoid over-investing or under-investing in your security functions.

    • Information Security Pressure Analysis Tool

    4. Information Security Program Gap Analysis Tool – A structured tool to systematically understand your current security state.

    Effective security planning should not be one size fits all – it must consider business alignment, security benefit, and resource cost. To enable an effective security program, all areas of security need to be evaluated closely to determine where the organization sits currently and where it needs to go in the future.

    • Information Security Program Gap Analysis Tool

    5. Information Security Strategy Communication Deck – A best-of-breed presentation document to build a clear, concise, and compelling strategy document.

    Use this communication deck template to present the results of the security strategy to stakeholders, demonstrate the progression from the current state to the future state, and establish the roadmap of the security initiatives that will be implemented. This information security communication deck will help ensure that you’re communicating effectively for your cause.

    • Information Security Strategy Communication Deck

    6. Information Security Charter – An essential document for defining the scope and purpose of a security project or program.

    A charter is an essential document for defining the scope and purpose of security. Without a charter to control and set clear objectives for this committee, the responsibility of security governance initiatives will likely be undefined within the enterprise, preventing the security governance program from operating efficiently. This template can act as the foundation for a security charter to provide guidance to the governance of information security.

    • Information Security Charter
    [infographic]

    Workshop: Build an Information Security Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Security Requirements

    The Purpose

    Understand business and IT strategy and plans.

    Key Benefits Achieved

    Defined security obligations, scope, and boundaries.

    Activities

    1.1 Define business and compliance.

    1.2 Establish security program scope.

    1.3 Analyze the organization’s risk and stakeholder pressures.

    1.4 Identify the organizational risk tolerance level.

    Outputs

    Security obligations statement

    Security scope and boundaries statement

    Defined risk tolerance level

    Risk assessment and pressure analysis

    2 Perform a Gap Analysis

    The Purpose

    Define the information security target state.

    Key Benefits Achieved

    Set goals and Initiatives for the security strategy in line with the business objectives.

    Activities

    2.1 Assess current security capabilities.

    2.2 Identify security gaps.

    2.3 Build initiatives to bridge the gaps.

    Outputs

    Information security target state

    Security current state assessment

    Initiatives to address gaps

    3 Complete the Gap Analysis

    The Purpose

    Continue assessing current security capabilities.

    Key Benefits Achieved

    Identification of security gaps and initiatives to bridge them according to the business goals.

    Activities

    3.1 Identify security gaps.

    3.2 Build initiatives to bridge the maturity gaps.

    3.3 Identify initiative list and task list.

    3.4 Define criteria to be used to prioritize initiatives.

    Outputs

    Completed security current state assessment

    Task list to address gaps

    Initiative list to address gaps

    Prioritize criteria

    4 Develop the Roadmap

    The Purpose

    Create a plan for your security strategy going forward.

    Key Benefits Achieved

    Set path forward to achieving the target state for the business through goal cascade and gap initiatives.

    Activities

    4.1 Conduct cost/benefit analysis on initiatives.

    4.2 Prioritize gap initiatives based on cost and alignment with business.

    4.3 Build an effort list.

    4.4 Determine state times and accountability.

    4.5 Finalize security roadmap and action plan.

    4.6 Create communication plan.

    Outputs

    Information security roadmap

    Draft communication deck

    5 Communicate and Implement

    The Purpose

    Finalize deliverables.

    Key Benefits Achieved

    Consolidate documentation into a finalized deliverable that can be used to present to executives and decision makers to achieve buy-in for the project.

    Activities

    5.1 Support communication efforts.

    5.2 Identify resources in support of priority initiatives.

    Outputs

    Security strategy roadmap documentation

    Detailed cost and effort estimates

    Mapping of Info-Tech resources against individual initiatives

    Further reading

    Build an Information Security Strategy

    Create value by aligning your strategy to business goals and business risks.

    Analyst Perspective

    Set your security strategy up for success.

    “Today’s rapid pace of change in business innovation and digital transformation is a call to action to information security leaders.

    Too often, chief information security officers find their programs stuck in reactive mode, a result of years of mounting security technical debt. Shifting from a reactive to proactive stance has never been more important. Unfortunately, doing so remains a daunting task for many.

    While easy to develop, security plans premised on the need to blindly follow ‘best practices’ are unlikely to win over many stakeholders. To be truly successful, an information security strategy needs to be holistic, risk-aware, and business-aligned.”

    Kevin Peuhkurinen

    Research Director – Security, Risk & Compliance

    Info-Tech Research Group

    Executive summary

    Your Challenge

    • Many security leaders struggle to decide how best to prioritize their scarce information security resources.
    • The need to move from a reactive approach to security toward a strategic planning approach is clear. The path to getting there is less clear.

    Common Obstacle

    • Developing a security strategy can be challenging. Complications include:
      • Performing an accurate assessment of your current security program can be extremely difficult when you don’t know what to assess or how.
      • Determining the appropriate target state for security can be even more challenging. A strategy built around following best practices is unlikely to garner significant support from business stakeholders.

    Info-Tech’s Approach

    • Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for 7+ years with hundreds of organizations.
    • This unique approach includes tools for:
      • Ensuring alignment with business objectives.
      • Assessing organizational risk and stakeholder expectations.
      • Enabling a comprehensive current state assessment.
      • Prioritizing initiatives and building out a security roadmap.

    Info-Tech Insight

    The most successful information security strategies are:

    • Holistic. They consider the full spectrum of information security, including people, processes, and technologies.
    • Risk-Aware. They understand that security decisions should be made based on the security risks facing their organization, not just on best practice.
    • Business-Aligned. They demonstrate an understanding of the goals and strategies of the organization, and how the security program can support the business.

    It’s not a matter of if you have a security incident, but when

    Organizations need to prepare and expect the inevitable security breach.

    Fifty-eight percent of companies surveyed that experienced a breach were small businesses.

    Eighty-nine percent of breaches have a financial or espionage motive.

    Three graphs are depicted. The first is labeled ‘Total Cost for Three Data Breach Root Causes,’ the second ‘Distribution of Benchmark by Root Cause of the Data Breach,’ and the third ‘Per Capita for Three Root Causes of a Data Breach.’ The three root causes are malicious or criminal attack (US$166 million per capita), system glitch ($132 million per capita), and human error ($133 million per capita).

    Source: Ponemon Institute, “2019 Global Cost of Data Breach Study”

    An information security strategy can help you prepare for incidents

    Organizations need to expect the inevitable security breach.

    90%

    of businesses have experienced an external threat in the last year.

    50%

    of IT professionals consider security to be their number one priority.

    53%

    of organizations claimed to have experienced an insider attack in the previous 12 months. 1

    46%

    of businesses believe the frequency of attacks is increasing. 2

    Effective IT leaders approach their security strategy from an understanding that attacks on their organization will occur. Building a strategy around this assumption allows your security team to understand the gaps in your current approach and become proactive instead of being reactive.

    Sources: 1 Kaspersky Lab, “Global IT Security Risks Survey”; 2 CA Technologies, “Insider Threat 2018 Report”

    Persistent Issues

    Evolving Ransomware

    • Continual changes in types and platforms make ransomware a persistent threat. The frequency of ransomware attacks was reported to have increased by 67% in the past five years. 1

    Phishing Attacks

      • Despite filtering and awareness, email remains the most common threat vector for phishing attacks (94%) and an average of 3% of participants in phishing campaigns still click on them. 2

    Insider Privilege and Misuse

    • Typically, 34% of breaches are perpetrated by insiders, with 15% involving privilege misuse. Takeaway: Care less about titles and more about access levels. 3

    Denial of Service

    • The median amount of time that an organization is under attack from DDoS attack is three days.

    Emerging Trends

    Advanced Identity and Access Governance

    • Using emerging technologies in automation, orchestration, and machine learning, the management and governance of identities and access has become more advanced.

    Sources: 1 Accenture, “2019 The Cost of Cyber Crime Study”; 2,3 Verizon, “2019 Data Breach Investigations Report”

    New threat trends in information security aren’t new.

    Previously understood attacks are simply an evolution of prior implementations, not a revolution.

    Traditionally, most organizations are not doing a good-enough job with security fundamentals, which is why attackers have been able to use the same old tricks.

    However, information security has finally caught the attention of organizational leaders, presenting the opportunity to implement a comprehensive security program.

    Cyberattacks have a significant financial impact

    Global average cost of a data breach: $3.92 Million

    Source: Ponemon Institute, “2019 Cost of a Data Breach Study: Global Overview”

    A bar graph, titled ‘Average cost of data breach by industry,’ is depicted. Of 17 industries depicted, public is the lowest average cost (US$1.29 million) and health is the highest average cost ($6.45 million).

    Primary incident type (with a confirmed data breach)

    1. Leading incident type is Denial of Service attacks (DoS), taking up to 70% of all incidents.
    2. When it comes to data breaches, we see that the use of stolen credentials leads to the most cases of confirmed breaches, accounting for 29%.

    Personal records tend to be the most compromised data types, while databases tend to be the most frequently involved asset in breaches.

    Source: Verizon, “2019 Data Breach Investigations Report”

    Security threats are not going away

    We continue to see and hear of security breaches occurring regularly.

    A bar graph depicts the percentage of businesses who experienced a data breach in the last year–US total and global total. Numbers have increased from 2016 to 2019. In 2016, 19 percent of US businesses experienced a breach. In 2019, this number was 59 percent.

    An attacker must be successful only once. The defender – you – must be successful every time.

    Info-Tech’s approach

    Maturing from reactive to strategic information security

    Two circular graphs depict the move from ‘reactive security’ to ‘strategic security’ organizations can accomplish using Info-Tech’s approach.

    Tools icon that is used in the first three stages of the strategic security graph above. Indicates Info-Tech tools included in this blueprint.

    The Info-Tech difference:

    1. A proven, structured approach to mature your information security program from reactive to strategic.
    2. A comprehensive set of tools to take the pain out of each phase in the strategy building exercise.
    3. Visually appealing templates to communicate and socialize your security strategy and roadmap to your stakeholders.

    Info-Tech’s Security Strategy Model

    Info-Tech’s Security Strategy Model is depicted in this rectangular image with arrows. The first level depicts business context (enterprise goals, compliance obligations, scope and boundaries) and pressures (security risks, risk tolerance, stakeholder expectations). The second level depicts security target state (maturity model, security framework, security alignment goals, target maturity, time frame) and current state (current state assessment, gap analysis). The third level depicts the information security roadmap (initiative list, task list, prioritization methodology, and Gantt chart).

    The Info-Tech difference:

    An information security strategy model that is:

    1. Business-Aligned. Determines business context and cascades enterprise goals into security alignment goals.
    2. Risk-Aware. Understands the security risks of the business and how they intersect with the overall organizational risk tolerance.
    3. Holistic. Leverages a best-of-breed information security framework to provide comprehensive awareness of organizational security capabilities.

    Info-Tech’s best-of-breed security framework

    This image shows how Info-Tech’s framework is based on ISO 27000 series, CIS Top 20, COBIT 2019, NIST 800-53, and NIST CSF.

    Info-Tech’s approach

    Creating an information security strategy

    Value to the business

    Outcome

    Best-of-breed security strategy

    Have documentation that paints a picture of the road to compliance. Integrate your framework with your risk tolerance and external pressures.

    Be ready for future changes by aligning your security strategy to security framework best practices.

    Address the nature of your current information security

    Eliminate gaps in process and know what is in scope for your security strategy. Learn what pressures your business and industry are under.

    Gain insight into your current state, allowing you to focus on high-value projects first, transitioning towards a target state.

    Highlight overlooked functions of your current security strategy

    Build a comprehensive security program that brings to light all aspects of your security program.

    Instead of pursing ad hoc projects, know what needs work and how to prioritize your pressing security issues.

    Create a tangible roadmap to your target state

    Create a plan for your future state of information security. Refer to and update your target state as your business needs change.

    Document your current progress and path forward in the future. Know your goals and requirements, codified in a living document.

    Use our prepopulated deliverables to fast track your progress

    Let Info-Tech do the work for you. With completed deliverables, have tangible documents to convey your business needs.

    A comprehensive set of deliverables with concrete, defensible data to justify any business changes.

    A living security strategy

    Pivot and change prioritization to meet the needs of your security deficits.

    Future-proof your security strategy for any contingency.

    The Info-Tech difference:

    Evolve the security program to be more proactive by leveraging Info-Tech’s approach to building a security strategy.

    • Dive deep into security obligations and security pressures to define the business context.
    • Conduct a thorough current state and future state analysis that is aligned with a best-of-breed framework.
    • Prioritize gap-closing initiatives to create a living security strategy roadmap.

    Use Info-Tech’s blueprint to save one to three months

    This image depicts how using Info-Tech’s four-phase blueprint can save an estimated seven to 14 weeks of an organization’s time and effort.

    Iterative benefit

    Over time, experience incremental value from your initial security strategy. Through continual updates your strategy will evolve but with less associated effort, time, and costs.

    These estimates are based on experiences with Info-Tech clients throughout the creation of this blueprint.

    Key deliverable:

    Information Security Strategy Communication Deck (PPT)

    Present your findings in a prepopulated document that can summarizes all key findings of the blueprint.

    Screenshots from Info-Tech’s Information Security Strategy Communication Deck Template.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Information Security Requirements Gathering Tool

    Define the business, customer, and compliance alignment for your security program.

    Information Security Pressure Analysis Tool

    Determine your organization’s security pressures and ability to tolerate risk.

    Information Security Program Gap Analysis Tool

    Use our best-of-breed security framework to perform a gap analysis between your current and target states.

    Information Security Charter

    Ensure the development and management of your security policies meet the broader program vision.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostic and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical Guided Implementation on this topic look like?

    Guided Implementation #1 - Assess security requirements
    • Call #1 - Introduce project and complete pressure analysis.
    Guided Implementation #2 - Build a gap initiative strategy
    • Call #1 - Introduce the maturity assessment.
    • Call #2 - Perform gap analysis and translate into initiatives.
    • Call #3 - Consolidate related gap initiatives and define, cost, effort, alignment, and security benefits.
    Guided Implementation #3 - Prioritize initiatives and build roadmap
    • Call #1 - Review cost/benefit analysis and build an effort map.
    • Call #2 - Build implementation waves and introduce Gantt chart.
    Guided Implementation #4 - Execute and maintain
    • Call #1 - Review Gantt chart and ensure budget/buy-in support.
    • Call #2 - Three-month check-in: Execute and maintain.

    A Guided Implementation is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical Guided Implementation is between 2-12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information, or contact workshops@infotech.com or 1-888-670-8889.

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Activities

    Assess Security Requirements

    Perform a Gap Analysis

    Complete the Gap Analysis

    Develop Roadmap

    Communicate and Implement

    1.1 Understand business and IT strategy and plans

    1.2 Define business and compliance requirements

    1.3 Establish the security program scope

    1.4 Analyze the organization’s risks and stakeholder pressures

    1.5 Identify the organizational risk tolerance level

    2.1 Define the information security target state

    2.2 Assess current security capabilities

    2.3 Identify security gaps

    2.4 Build initiatives to bridge the gaps

    3.1 Continue assessing current security capabilities

    3.2 Identify security gaps

    3.3 Build initiatives to bridge the maturity gaps

    3.4 Identify initiative list and task list

    3.5 Define criteria to be used to prioritize initiatives

    4.1 Conduct cost/benefit analysis on initiatives

    4.2 Prioritize gap initiatives based on cost, time, and alignment with the business

    4.3 Build effort map

    4.4 Determine start times and accountability

    4.5 Finalize security roadmap and action plan

    4.6 Create communication plan

    5.1 Finalize deliverables

    5.2 Support communication efforts

    5.3 Identify resources in support of priority initiatives

    Deliverables

    1.Security obligations statement

    2.Security scope and boundaries statement

    3.Defined risk tolerance level

    4.Risk assessment and pressure analysis

    1.Information security target state

    2.Security current state assessment

    3.Initiatives to address gaps

    1.Completed security current state assessment

    2.Task list to address gaps address gaps

    4.Prioritization criteria

    1.Information security roadmap

    2.Draft communication deck

    1.Security strategy roadmap documentation

    2.Detailed cost and effort estimates

    3.Mapping of Info-Tech resources against individual initiatives

    Executive Brief Case Study

    Credit Service Company

    Industry: Financial Services

    Source: Info-Tech Research group

    Founded over 100 years ago, Credit Service Company (CSC)* operates in the United States with over 40 branches located across four states. The organization services over 50,000 clients.

    Situation

    Increased regulations, changes in technology, and a growing number of public security incidents had caught the attention of the organization’s leadership. Despite awareness, an IT and security strategy had not been previously created. Management was determined to create a direction for the security team that aligned with their core mission of providing exceptional service and expertise.

    Solution

    During the workshop, the IT team and Info-Tech analysts worked together to understand the organization’s ideal state in various areas of information security. Having a concise understanding of requirements was a stepping stone to beginning to develop CSC’s prioritized strategy.

    Results

    Over the course of the week, the team created a document that concisely prioritized upcoming projects and associated costs and benefits. On the final day of the workshop, the team effectively presented the value of the newly developed security strategy to senior management and received buy-in for the upcoming project.

    *Some details have been changed for client privacy.

    Phase 1

    Assess Security Requirements

      Phase 1

    • 1.1 Define goals & scope
    • 1.2 Assess risks
    • 1.3 Determine pressures
    • 1.4 Determine risk tolerance
    • 1.5 Establish target state

      Phase 2

    • 2.1 Review Info-Tech’s security framework
    • 2.2 Assess your current state
    • 2.3 Identify gap closure actions

      Phase 3

    • 3.1 Define tasks & initiatives
    • 3.2 Perform cost/benefit analysis
    • 3.3 Prioritize initiatives
    • 3.4 Build roadmap

      Phase 4

    • 4.1 Build communication deck
    • 4.2 Develop a security charter
    • 4.3 Execute on your roadmap

    This phase will walk you through the following activities:

    1.1 Define goals and scope of the security strategy.

    1.2 Assess your organization’s current inherent security risks.

    1.3 Determine your organization’s stakeholder pressures for security.

    1.4 Determine your organization’s risk tolerance.

    1.5 Establish your security target state.

    1.1.1 Record your business goals

    Once you have identified your primary and secondary business goals, as well as the corresponding security alignment goals, record them in the Information Security Requirements Gathering Tool. The tool provides an activity status that will let you know if any parts of the tool have not been completed.

    1. Record your identified primary and secondary business goals in the Goals Cascade tab of the Information Security Requirements Gathering Tool.

    Use the drop-down lists to select an appropriate goal or choose “Other.” If you do choose “Other,” you will need to manually enter an appropriate business goal.

    2. For each of your business goals, select one to two security alignment goals. The tool will provide you with recommendations, but you can override these by selecting a different goal from the drop-down lists.

    A screenshot of the ‘Business Goals Cascade,’ which is part of the ‘Information Security Requirements Gathering Tool.’

    A common challenge for security leaders is how to express their initiatives in terms that are meaningful to business executives. This exercise helps to make an explicit link between what the business cares about and what security is trying to accomplish.

    1.1.2 Review your goals cascade

    Estimated Time: 15 minutes

    1. When you have completed the goals cascade, you can review a graphic diagram that illustrates your goals. The graphic is found on the Results tab of the Information Security Requirements Gathering Tool.
      • Security must support the primary business objectives. A strong security program will enable the business to compete in new and creative ways, rather than simply acting as an obstacle.
      • Failure to meet business obligations can result in operational problems, impacting the organization’s ability to function and the organization’s bottom line.
    2. Once you have reviewed the diagram, copy it into the Information Security Strategy Communication Deck.

    A screenshot of the ‘Goal Cascade Diagrams,’ which is part of the ‘Information Security Requirements Gathering Tool.’

    Identify your compliance obligations

    Most conventional regulatory obligations are legally mandated legislation or compliance obligations, such as:

    Sarbanes-Oxley Act (SOX)

    Applies to public companies that have registered equity or debt securities within the SEC to guarantee data integrity against financial fraud.

    Payment Card Industry Data Security Standard (PCI DSS)

    Applies to any organization that processes, transmits, or stores credit card information to ensure cardholder data is protected.

    Health Insurance Portability and Accountability Act (HIPAA)

    Applies to the healthcare sector and protects the privacy of individually identifiable healthcare information.

    Health Information Technology for Economic and Clinical Health (HITECH)

    Applies to the healthcare sector and widens the scope of privacy and security protections available under HIPAA.

    Personal Information Protection and Electronic Documents Act (PIPEDA)

    Applies to private sector organizations that collect personal information in Canada to ensure the protection of personal information in the course of commercial business.

    Compliance obligations also extend to voluntary security frameworks:

    NIST

    National Institute of Standards and Technology; a non-regulatory agency that develops and publicizes measurement

    CIS – 20 CSC

    Center for Internet Security – 20 Critical Security Controls; foundational set of effective cybersecurity practices.

    ISO 27001

    An information security management system framework outlining policies and procedures.

    COBIT 5

    An information technology and management and governance framework.

    HITRUST

    A common security framework for organizations that use or hold regulated personal health information.

    1.1.3 Record your compliance obligations

    Estimated Time: 30 minutes

    1. Identify your compliance obligations. Most organizations have compliance obligations that must be adhered to. These can include both mandatory and voluntary obligations. Mandatory obligations include:
      • Laws
      • Government regulations
      • Industry standards
      • Contractual agreements
      Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your security strategy, include only those that have information security or privacy requirements.
    2. Record your compliance obligations, along with any notes, in your copy of the Information Security Requirements Gathering Tool.

    A screenshot of ‘Security Compliance Obligations,’ part of the ‘Information Security Requirements Gathering Tool.’

    Establish your scope and boundaries

    It is important to know at the outset of the strategy: what are we trying to secure?

    This includes physical areas we are responsible for, types of data we care about, and departments or IT systems we are responsible for.

    This also includes what is not in scope. For some outsourced services or locations, you may not be responsible for their security. In some business departments, you may not have control of security processes. Ensure that it is made explicit at the outset what will be included and what will be excluded from security considerations.

    Physical Scope and Boundaries

    • How many offices and locations does your organization have?
    • Which locations/offices will be covered by your information security management system (ISMS)?
    • How sensitive is the data residing at each location?
    • You may have many physical locations, and it is not necessary to list every one. Rather, list exceptional cases that are specifically in or out of scope.

    IT Systems Scope and Boundaries

    • There may be hundreds of applications that are run and maintained in your organization. Some of these may be legacy applications. Does your ISMS need to secure all your programs or a select few?
    • Is the system owned or outsourced?
    • Where are we accountable for security?
    • How sensitive is the data that each system handles?

    Organizational Scope and Boundaries

    • Will your ISMS cover all departments within your organization? For example, do certain departments (e.g. Operations) not need any security coverage?
    • Do you have the ability to make security decisions for each department?
    • Who are the key stakeholders/data owners for each department?

    Organizational scope considerations

    Many different groups will fall within the purview of the security strategy. Consider these two main points when deciding which departments will be in scope:

    1. If a group/user has access to data or systems that can impact the organization, then securing that group/user should be included within scope of the security strategy.
    2. If your organization provides some work direction to a group/user, they should be included within scope of the security strategy.
    1. Identify your departments and business groups
      • Start by identifying departments that provide some essential input or service to the organization or departments that interact with sensitive data.
    2. Break out different subsidiaries or divisions
      • Subsidiaries may or may not be responsible for securing themselves and protecting their data, but either way they are often heavily reliant on corporate for guidance and share IT resourcing support.
    3. Identify user groups
      • Many user groups exist, all requiring different levels of security. For example, from on-premises to remote access, from full-time employees to part-time or contractors.

    Physical scope considerations

    List physical locations by type

    Offices

    The primary location(s) where business operations are carried out. Usually leased or owned by the business.

    Regional Offices

    These are secondary offices that can be normal business offices or home offices. These locations will have a VPN connection and some sort of tenant.

    Co-Locations

    These are redundant data center sites set up for additional space, equipment, and bandwidth.

    Remote Access

    This includes all remaining instances of employees or contractors using a VPN to connect.

    Clients and Vendors

    Various vendors and clients have dedicated VPN connections that will have some control over infrastructure (whether owed/laaS/other).

    List physical locations by nature of the location

    Core areas within physical scope

    These are many physical locations that are directly managed. These are high-risk locations with many personal and services, resulting in many possible vulnerabilities and attack vectors.

    Locations on the edge of control

    These are on the edge of the physical scope, and thus, in scope of the security strategy. These include remote locations, remote access connections, etc.

    Third-party connections

    Networks of third-party users are within physical scope and need defined security requirements and definitions of how this varies per user.

    BYOD

    Mostly privately owned mobile devices with either on-network or remote access.

    It would be overkill and unhelpful to list every single location or device that is in scope. Rather, list by broad categories as suggested above or simply list exceptional cases that are in/out of scope.

    IT systems scope considerations

    Consider identifying your IT systems by your level of control or ownership.

    Fully owned systems

    These are systems that are wholly owned or managed by your organization.

    IT is almost always the admin of these systems. Generally they are hosted on premises. All securitization through methods such as patching or antivirus is done and managed by your IT department.

    Cloud/remote hosted (SaaS)

    These are systems with a lot of uncertainties because the vendor or service provided is either not known or what they are doing for security is not fully known.

    These systems need to be secured regardless, but supplier and vendor relationship management becomes a major component of how to manage these systems. Often, each system has varying levels of risk based on vendor practices.

    Hybrid owned (IaaS/PaaS)

    You likely have a good understanding of control for these systems, but they may not be fully managed by you (i.e. ownership of the infrastructure). These systems are often hosted by third parties that do some level of admin work.

    A main concern is the unclear definition of responsibility in maintaining these systems. These are managed to some degree by third parties; it is challenging for your security program to perform the full gamut of security or administrative functions.

    Unknown/unowned systems

    There are often systems that are unowned and even unknown and that very few people are using. These apps can be very small and my not fall under your IT management system framework. These systems create huge levels of risk due to limited visibility.

    For example, unapproved (shadow IT) file sharing or cloud storage applications would be unknown and unowned.

    1.1.4 Record your scope and boundaries

    Estimated Time: 30-60 minutes

    1. Divide into groups and give each group member a handful of sticky notes. Ask them to write down as many items as possible for the organization that could fall under one of the scope buckets.
    2. Collect each group’s responses and discuss the sticky notes and the rationale for including them. Discuss your security-related locations, data, people, and technologies, and define their scope and boundaries.
      • Careful attention should be paid to any elements of the strategy that are not in scope.
    3. Discuss and aggregate all responses as to what will be in scope of the security strategy and what will not be. Record these in the Information Security Requirements Gathering Tool.

    A screenshot of ‘Scope and Boundaries,’ part of the ‘Information Security Requirements Gathering Tool.’

    1.2 Conduct a risk assessment

    Estimated Time: 1-3 hours

    1. As a group, review the questions on the Risk Assessment tab of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following risk elements:
      • Threats
      • Assets
      • Vulnerabilities (people, systems, supply chain)
      • Historical security incidents

    Input

    • List of organizational assets
    • Historical data on information security incidents

    Output

    • Completed risk assessment

    Materials

    • Information Security Pressure Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Risk Management

    Download the Information Security Pressure Analysis Tool

    1.2.1 Complete the risk assessment questionnaire

    Estimated Time: 60-90 minutes

    1. Review each question in the questionnaire and provide the most appropriate response using the drop-down list.
      • If you are unsure of the answer, consult with subject matter experts to obtain the required data.
      • Otherwise, provide your best estimation
    2. When providing responses for the historical incident questions, only count incidents that had a sizeable impact on the business.

    A screenshot of the ‘Organizational Security Risk Assessment,’ part of the ‘Information Security Pressure Analysis Tool.’

    Info-Tech Insight

    Understanding your organization’s security risks is critical to identifying the most appropriate level of investment into your security program. Organizations with more security risks will need more a mature security program to mitigate those risks.

    1.2.2 Review the results of the risk assessment

    Estimated Time: 30 minutes

    1. Once you have completed the risk assessment, you can review the output on the Results tab.
    2. If required, the weightings of each of the risk elements can be customized on the Weightings tab.
    3. Once you have reviewed the results, copy your risk assessment diagram into the Information Security Strategy Communication Deck.

    A screenshot showing sample results of the ‘Organizational Risk Assessment,’ part of the ‘Information Security Pressure Analysis Tool.’

    It is important to remember that the assessment measures inherent risk, meaning the risk that exists prior to the implementation of security controls. Your security controls will be assessed later as part of the gap analysis.

    1.3 Conduct pressure analysis

    Estimated Time: 1-2 hours

    1. As a group, review the questions on the Pressure Analysis tab of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following pressure elements:
      • Compliance and oversight
      • Customer expectations
      • Business expectations
      • IT expectations

    Input

    • Information on various pressure elements within the organization

    Output

    • Completed pressure analysis

    Materials

    • Information Security Pressure Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Business Leaders
    • Compliance

    Download the Information Security Pressure Analysis Tool

    Risk tolerance considerations

    At this point, we want to frame risk tolerance in terms of business impact. Meaning, what kinds of impacts to the business would we be able to tolerate and how often? This will empower future risk decisions by allowing the impact of a potential event to be assessed, then compared against the formalized tolerance. We will consider impact from three perspectives:

    F

    Functional Impact

    The disruption or degradation of business/organizational processes.

    I

    Informational Impact

    The breach of confidentiality, privacy, or integrity of data/information.

    R

    Recoverability Impact

    The disruption or degradation of the ability to return to conditions prior to a security incident.

    Consider these questions:

    Questions to ask

    Description

    Is there a hard-dollar impact from downtime?

    This refers to when revenue or profits are directly impacted by a business disruption. For example, when an online ordering system is compromised and shut down, it affects sales, and therefore, revenue.

    Is regulatory compliance a factor?

    Depending on the circumstances of the vulnerabilities, it can be a violation of compliance obligations that would cause significant fines.

    Are any critical services dependent on this asset?

    Functional dependencies are sometimes not obvious, and assets that appear marginal can have huge impacts on critical services.

    Is there a health or safety risk?

    Some operations are critical to health and safety. For example, medical organizations have operations that are necessary to ensure uninterrupted critical health services. An exploited vulnerability that impacts these operations can have life and death consequences.

    ANALYST PERSPECTIVE

    It is crucial to keep in mind that you care about a risk scenario impact to the main business processes.

    For example, imagine a complete functional loss of the corporate printers. For most businesses, even the most catastrophic loss of printer function will have a small impact on their ability to carry out the main business functions.

    On the flip side, even a small interruption to email or servers could have a large functional impact on business processes.

    Risk tolerance descriptions

    High

    • Organizations with high risk tolerances are often found in industries with limited security risk, such as Construction, Agriculture and Fishing, or Mining.
    • A high risk tolerance may be appropriate for organizations that do not rely on highly sensitive data, have limited compliance obligations, and where their customers do not demand strong security controls. Organizations that are highly focused on innovation and rapid growth may also tend towards a higher risk tolerance.
    • However, many organizations adopt a high risk tolerance by default simply because they have not adequately assessed their risks.

    Moderate

    • Organizations with medium risk tolerances are often found in industries with moderate levels of security risk, such as Local Government, Education, or Retail and Wholesale
    • A medium risk tolerance may be appropriate for organizations that store and process some sensitive data, have a modest number of compliance obligations, and where customer expectations for security tend to be implicit rather than explicit.

    Low

    • Organizations with low risk tolerances are often found in industries with elevated security risk, such as Financial Services, Federal Governments, or Defense Contractors.
    • A low risk tolerance may be appropriate for organizations that store very sensitive data, process high-value financial transactions, are highly regulated, and where customers demand strong security controls.
    • Some organizations claim to have a low risk tolerance, but in practice will often allow business units or IT to accept more security risk than would otherwise be permissible. A strong information security program will be required to manage risks to an acceptable level.

    1.4.1 Complete the risk tolerance questionnaire

    Estimated Time: 30-60 minutes

    1. In a group discussion, review the low-, medium-, and high-impact scenarios and examples for each impact category. Ensure that everyone has a consistent understanding of the scenarios.
    2. For each impact type, use the frequency drop-down list to identify the maximum frequency that the organization could tolerate for the event scenarios, considering:
      • The current frequency with which the scenarios are occurring in your organization may be a good indication of your tolerance. However, keep in mind that you may be able to tolerate these incidents happening more frequently than they do.
      • Hoping is not the same as tolerating. While everyone hopes that high-impact incidents never occur, carefully consider whether you could tolerate them occurring more frequently.

    A screenshot showing the ‘Organizational Security Risk Tolerance Assessment,’ part of the ‘Information Security Pressure Analysis Tool.’

    1.4.2 Review the results of the risk tolerance analysis

    Estimated Time: 30 minutes

    1. Once you have completed the risk tolerance exercise, you can review the output on the Results tab.
    2. If required, the weightings of each of the impact types can be customized on the Weightings tab.
    3. Once you have reviewed the results, copy your risk tolerance diagram into the Information Security Strategy Communication Deck.

    A screenshot showing the results of the 'Information Security Risk Tolerance Assessment,' part of the ‘Information Security Pressure Analysis Tool.’

    A low risk tolerance will require a stronger information security program to ensure that operational security risk in the organization is minimized. If this tool reports that your risk tolerance is low, it is recommended that you review the results with your senior stakeholders to ensure agreement and support for the security program.

    1.5 Establish your target state

    Estimated Time: 30-60 minutes

    1. As a group, review the overall results of the requirements gathering exercise:
      • Business goals cascade
      • Compliance obligations
      • Scope
    2. Review the overall results of the risk assessment, pressure analysis, and risk tolerance exercises.
    3. Conduct a group discussion to arrive at a consensus of what the ideal target state for the information security program should look like.
      • Developing mission and vision statements for security may be useful for focusing the group.
      • This discussion should also consider the desired time frame for achieving the target state.

    Download the Information Security Pressure Analysis Tool

    Input

    • Information security requirements (goals cascade, compliance obligations, scope)
    • Risk assessment
    • Pressure analysis
    • Risk tolerance

    Output

    • Completed information security target state

    Materials

    Participants

    • Security Team
    • IT Leadership
    • Risk Management
    • Business Leaders
    • Compliance

    Understanding security target states

    Maturity models are very effective for determining information security target states. This table provides general descriptions for each maturity level. As a group, consider which description most accurately reflects the ideal target state for information security in your organization.

    1. AD HOC

      Initial/Ad hoc security programs are reactive. Lacking strategic vision, these programs are less effective and less responsive to the needs of the business.
    2. DEVELOPING

      Developing security programs can be effective at what they do but are not holistic. Governance is largely absent. These programs tend to rely on the talents of individuals rather than a cohesive plan.
    3. DEFINED

      A defined security program is holistic, documented, and proactive. At least some governance is in place, however, metrics are often rudimentary and operational in nature. These programs still often rely on best practices rather than strong risk management.
    4. MANAGED

      Managed security programs have robust governance and metrics processes. Management and board-level metrics for the overall program are produced. These are reviewed by business leaders and drive security decisions. More mature risk management practices take the place of best practices.
    5. OPTIMIZED

      An optimized security program is based on strong risk management practices, including the production of key risk indicators (KRIs). Individual security services are optimized using key performance indicators (KPIs) that continually measure service effectiveness and efficiency.

    1.5.1 Review the results of the target state recommendation

    Estimated Time: 30-60 minutes

    1. Based upon your risk assessment, pressure analysis, and risk tolerance, the Information Security Pressure Analysis Tool will provide a recommended information security target state.
    2. With your group, review the recommendation against your expectations.
    3. If required, the weightings of each of the factors can be customized on the Weightings tab.
    4. Once you have reviewed the results, copy your target state diagram into the Information Security Strategy Communication Deck.

    A screenshot showing the results of the ‘Information Security Target State,’ part of the ‘Information Security Pressure Analysis Tool.’

    Info-Tech Insight

    Higher target states require more investment to attain. It is critical to ensure that all key stakeholders agree on the security target state. If you set a target state that aims too high, you may struggle to gain support and funding for the strategy. Taking this opportunity to ensure alignment from the start will pay off dividends in future.

    1.5.2 Review and adjust risk and pressure weightings

    Estimated Time: 30 minutes

    1. If the results of your risk assessment, pressure analysis, risk tolerance, or target state do not match your expectations, you may need to review and adjust the weightings for the elements within one or more of these areas.
    2. On the Weightings tab, review each of the strategic categories and adjust the weights as required.
      • Each domain is weighted to contribute to your overall pressure score based on the perceived importance of the domain to the organization.
      • The sum of all weights for each category must add up to 100%.

    A screenshot showing the results of the weightings given to each factor in a category, part of the ‘Information Security Pressure Analysis Tool.’

    Case Study

    Credit Service Company

    Industry: Financial Services

    Source: Info-Tech Research group

    Below are some of the primary requirements that influenced CSC’s initial strategy development.

    External Pressure

    Pressure Level: High

    • Highly regulated industries, such as Finance, experience high external pressure.
    • Security pressure was anticipated to increase over the following three years due to an increase in customer requirement.

    Obligations

    Regulatory: Numerous regulations and compliance requirements as a financial institution (PCI, FFIEC guidance).

    Customer: Implicitly assumes personal, financial, and health information will be kept secure.

    Risk Tolerance

    Tolerance Level: Low

    1. Management: Are risk averse and have high visibility into information security.
    2. Multiple locations controlled by a central IT department decreased the organization’s risk tolerance.

    Summary of Security Requirements

    Define and implement dynamic information security program that understands and addresses the business’ inherent pressure, requirements (business, regulatory, and customer), and risk tolerance.

    Phase 2

    Build a Gap Initiative Strategy

      Phase 1

    • 1.1 Define goals & scope
    • 1.2 Assess risks
    • 1.3 Determine pressures
    • 1.4 Determine risk tolerance
    • 1.5 Establish target state

      Phase 2

    • 2.1 Review Info-Tech’s security framework
    • 2.2 Assess your current state
    • 2.3 Identify gap closure actions

      Phase 3

    • 3.1 Define tasks & initiatives
    • 3.2 Perform cost/benefit analysis
    • 3.3 Prioritize initiatives
    • 3.4 Build roadmap

      Phase 4

    • 4.1 Build communication deck
    • 4.2 Develop a security charter
    • 4.3 Execute on your roadmap

      This phase will walk you through the following activities:

    • 2.1 Review Info-Tech’s framework.
    • 2.2 Assess your current state of security against your target state.
    • 2.3 Identify actions required to close gaps.

    2.1 Review the Info-Tech framework

    Estimated Time: 30-60 minutes

    1. As a group, have the security team review the security framework within the Information Security Gap Analysis Tool.
    2. Customize the tool as required using the instructions on the following slides.

    Input

    • Information security requirements
    • Security target state

    Output

    • Customized security framework

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team

    Download the Information Security Gap Analysis Tool

    Understand the Info-Tech framework

    Info-Tech’s security framework uses a best-of-breed approach to leverage and align with most major security standards, including:

    • ISO 27001/27002
    • COBIT
    • Center for Internet Security (CIS) Critical Controls
    • NIST Cybersecurity Framework
    • NIST SP 800-53
    • NIST SP 800-171

    A diagram depicting Info-Tech’s best-of-breed security framework.

    A best-of-breed approach ensures holistic coverage of your information security program while refraining from locking you in to a specific compliance standard.

    2.1.1 Configure the Information Security Gap Analysis Tool

    Estimated Time: 30 minutes

    Review the Setup tab of the Information Security Gap Analysis Tool. This tab contains several configurable settings that should be customized to your organization. For now, the three settings you will need to modify are:

    • The security target state. Enter the target state from your Information Security Pressure Analysis Tool. If you do not enter a target state, the tool will default to a target of 3 (Defined).
    • Your Security Alignment Goals (from your Information Security Requirements Gathering Tool).
    • The starting year for your security roadmap.

    A screenshot showing the ‘Setup’ tab of the ‘Information Security Gap Analysis Tool.’

    2.2 Assess current state of security

    Estimated Time: 8-16 hours

    1. Using the Information Security Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
    2. Follow the instructions on the next slides to complete your current state and target state assessment.
    3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

    Input

    • Security target state
    • Information on current state of security controls, including sources such as audit findings, vulnerability and penetration test results, and risk registers

    Output

    • Gap analysis

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management

    Download the Information Security Gap Analysis Tool

    Example maturity levels

    To help determine appropriate current and target maturity levels, refer to the example below for the control “Email communication is filtered for spam and potential malicious communications.”

    AD HOC 01

    There is no centrally managed spam filter. Spam may be filtered by endpoint email clients.

    DEVELOPING 02

    There is a secure email gateway. However, the processes for managing it are not documented. Administrator roles are not well defined. Minimal fine-tuning is performed, and only basic features are in use.

    DEFINED 03

    There is a policy and documented process for email security. Roles are assigned and administrators have adequate technical training. Most of the features of the solution are being used. Rudimentary reports are generated, and some fine-tuning is performed.

    MANAGED 04

    Metrics are produced to measure the effectiveness of the email security service. Advanced technical features of the solution have been implemented and are regularly fine-tuned based on the metrics.

    OPTIMIZED 05

    There is a dedicated email security administrator with advanced technical training. Custom filters are developed to further enhance security, based on relevant cyber threat intelligence. Email security metrics feed key risk indicators that are reported to senior management.

    2.2.1 Conduct current state assessment

    Estimated Time: 8-16 hours

    1. Carefully review each of the controls in the Gap Analysis tab. For each control, indicate the current maturity level using the drop-down list.
      • You should only use “N/A” if you are confident that the control is not required in your organization.
      • For example, if your organization does not perform any software development then you can select “N/A” for any controls related to secure coding practices.
    2. Provide comments to describe your current state. This step is optional but recommended as it may be important to record this information for future reference.
    3. Select the target maturity for the control. The tool will default to the target state for your security program, but this can be overridden using the drop-down list.

    2.2.1 Conduct current state assessment

    Estimated Time: 8-16 hours

    1. Carefully review each of the controls in the Gap Analysis tab. For each control, indicate the current maturity level using the drop-down list.
      • You should only use “N/A” if you are confident that the control is not required in your organization. For example, if your organization does not perform any software development then you can select “N/A” for any controls related to secure coding practices.
    2. Provide comments to describe your current state. This step is optional but recommended as it may be important to record this information for future reference.
    3. Select the target maturity for the control. The tool will default to the target state for your security program, but this can be overridden using the drop-down list.

    A screenshot showing the 'Gap Analysis' tab of the 'Information Security Gap Analysis Tool.'

    Review the Gap Analysis Dashboard

    Use the Gap Assessment Dashboard to map your progress. As you fill out the Gap Analysis Tool, check with the Dashboard to see the difference between your current and target state.

    Use the color-coded legend to see how large the gap between your current and target state is. The legend can be customized further if desired.

    Security domains that appear white have not yet been assessed or are rated as “N/A.”

    2.2.3 Identify actions required to close gaps

    Estimated Time: 4-8 hours

    1. Using the Information Security Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
    2. Follow the instructions on the next slides to identify gap closure actions for each control that requires improvement.
    3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

    Input

    • Security control gap information

    Output

    • Gap closure action list

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management

    Download the Information Security Gap Analysis Tool

    2.3.1 Identify gap closure actions

    Estimated Time: 4-8 hours

    1. For each of the controls where there is a gap between the current and target state, a gap closure action should be identified:
      • Review the example actions and copy one or more of them if appropriate. Otherwise, enter your own gap closure action.
    2. Identify whether the action should be managed as a task or as an initiative. Most actions should be categorized as an initiative. However, it may be more appropriate to categorize them as a task when:
      1. They have no costs associated with them
      2. They require a low amount of initial effort to implement and no ongoing effort to maintain
      3. They can be accomplished independently of other tasks

    A screenshot showing gap closure actions, part of the 'Gap Analysis' tab of the 'Information Security Gap Analysis Tool.'

    Considerations for gap closure actions

    • In small groups, have participants ask, “what would we have to do to achieve the target state?” Document these in the Gap Closure Actions column.
    • The example gap closure actions may be appropriate for your organization, but do not simply copy them without considering whether they are right for you.
    • Not all gaps will require their own action. You can enter one action that may address multiple gaps.
    • If you find that many of your actions are along the lines of “investigate and make recommendations,” you should consider using the estimated gap closure percentage column to track the fact that these gaps will not be fully closed by the actions.

    A screenshot showing considerations for gap closure actions, part of the 'Gap Analysis' tab of the 'Information Security Gap Analysis Tool.'

    2.3.2 Define gap closure action effectiveness

    Estimated Time: 1-2 hours

    For each of the gap closure actions, optionally enter an estimated gap closure percentage to indicate how effective the action will be in fully closing the gap.

    • For instance, an action to “investigate solutions and make recommendations” will not fully close the gap.
    • This is an optional step but will be helpful to understand how much progress towards your security target state you will make based on your roadmap.
    • If you do not fill in this column, the tool will assume that your actions will fully close all gaps.

    A screenshot showing considerations for estimated gap closure percentage, part of the 'Gap Analysis' tab of the 'Information Security Gap Analysis Tool.'

    Completing this step will populate the “Security Roadmap Progression” diagram in the Results tab, which will provide a graphic illustration of how close to your target state you will get based upon the roadmap.

    Phase 3

    Prioritize Initiatives and Build Roadmap

    Phase 1

    • 1.1 Define goals & scope
    • 1.2 Assess risks
    • 1.3 Determine pressures
    • 1.4 Determine risk tolerance
    • 1.5 Establish target state

    Phase 2

    • 2.1 Review Info-Tech’s security framework
    • 2.2 Assess your current state
    • 2.3 Identify gap closure actions

    Phase 3

    • 3.1 Define tasks & initiatives
    • 3.2 Perform cost/benefit analysis
    • 3.3 Prioritize initiatives
    • 3.4 Build roadmap

    Phase 4

    • 4.1 Build communication deck
    • 4.2 Develop a security charter
    • 4.3 Execute on your roadmap

    This phase will walk you through the following activities:

    • 3.1 Define tasks and initiatives.
    • 3.2 Define cost, effort, alignment, and security benefit of each initiative.
    • 3.3 Prioritize initiatives.
    • 3.4 Build the prioritized security roadmap

    3.1 Define tasks and initiatives

    Estimated Time: 2-4 hours

    1. As a group, review the gap actions identified in the Gap Analysis tab.
    2. Using the instructions on the following slides, finalize your task list.
    3. Using the instructions on the following slides, review and consolidate your initiative list.

    Input

    • Gap analysis

    Output

    • List of tasks and initiatives

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Information Security Gap Analysis Tool

    3.1.1 Finalize your task list

    Estimated Time: 1-2 hours

    1. Obtain a list of all your task actions by filtering on the Action Type column in the Gap Analysis tab.
    2. Paste the list into the table on the Task List tab.
      • Use Paste Values to retain the table formatting
    3. Enter a task owner and due date for each task. Without accountability, it is too easy to fall into complacency and neglect these tasks.

    A screenshot showing the 'Task List' tab of the 'Information Security Gap Analysis Tool.'

    Info-Tech Insight

    Tasks are not meant to be managed to the same degree that initiatives will be. However, they are still important. It is recommended that you develop a process for tracking these tasks to completion.

    3.1.2 Consolidate your gap closure actions into initiatives

    Estimated Time: 2-3 hours

    1. Once you have finalized your task list, you will need to consolidate your list of initiative actions. Obtain a list of all your initiative actions by filtering on the Action Type column in the Gap Analysis tab.
    2. Create initiatives on the Initiative List tab. While creating initiatives, consider the following:
      • As much as possible, it is recommended that you consolidate multiple actions into a single initiative. Reducing the total number of initiatives will allow for more efficient management of the overall roadmap.
      • Start by identifying areas of commonality between gap closure actions, for instance:
        • Group all actions within a security domain into a single initiative.
        • Group together similar actions, such as all actions that require updating policies.
        • Consider combining actions that have inter-dependencies.
      • While it is recommended that you consolidate actions as much as possible, some actions should become initiatives on their own. This will be appropriate when:
        • The action is time sensitive and consolidating it with other actions will cause scheduling issues.
        • Actions that could otherwise be consolidated have different business sponsors or owners and need to be kept separate for funding or accountability reasons.
    3. Link the initiative actions on the Gap Analysis tab using the drop-down list in the Initiative Name column.

    Initiative consolidation example

    In the example below, we see three gap closure actions within the Security Culture and Awareness domain being consolidated into a single initiative “Develop security awareness program.”

    We can also see one gap closure action within the same domain being grouped with two actions from the Security Policies domain into another initiative “Update security policies.”

    Info-Tech Insight

    As you go through this exercise, you may find that some actions that you previously categorized as tasks could be consolidated into an initiative.

    A screenshot showing how six sample gap closure actions can be distilled into two gap closure initiatives. Part of the 'Information Security Gap Analysis Tool.'

    3.1.3 Finalize your initiative list

    Estimated Time: 30 minutes

    1. Review your final list of initiatives and make any required updates.
    2. Optionally, add a description or paste in a list of the individual gap closure actions that are associated with the initiative. This will make it easier to perform the cost and benefit analysis.
    3. Use the drop-down list to indicate which of the security alignment goals most appropriately reflects the objectives of the initiative. If you are unsure, use the legend next to the table to find the primary security domain associated with the initiative and then select the recommended security alignment goal.
      • This step is important to understand how the initiative supports the business goals identified earlier.

     A screenshot showing the primary security alignment goal, part of the 'Initiative List' tab of the 'Information Security Gap Analysis Tool.'

    3.2 Conduct cost/ benefit analysis

    Estimated Time: 1-2 hours

    1. As a group, define the criteria to be used to conduct the cost/benefit analysis, following the instructions on the next slide.
    2. Assign costing and benefits information for each initiative.
    3. Define dependencies or business impacts if they will help with prioritization.

    Input

    • Gap analysis
    • Initiative list

    Output

    • Completed cost/benefit analysis for initiative list

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Information Security Gap Analysis Tool

    3.2.1 Define costing criteria

    Estimated Time: 30 minutes

    1. On the Setup tab of the Information Security Gap Analysis Tool, enter high, medium, and low ranges for initial and ongoing costs and efforts.
      1. Initial costs are one-time, upfront capital investments (e.g. hardware and software costs, project-based consulting fees, training).
      2. Ongoing cost is any annually recurring operating expenses that are new budgetary costs (e.g. licensing, maintenance, subscription fees).
      3. Initial staffing in hours is total time in person hours required to complete a project. It is not total elapsed time but dedicated time. Consider time required to gather requirements and to design, test, and implement the solution.
      4. Ongoing staffing in FTEs is the ongoing average effort required to support that initiative after implementation.
    2. In addition to ranges, provide an average for each. These will be used to calculate estimated total costs for the roadmap.

    A screenshot showing the initiative costs for estimation, part of the 'Setup' tab of the 'Information Security Gap Analysis Tool.' The range of costs is labeled with an arrow with number 1 on it, and the average cost per initiative is labeled with an arrow with number 2 on it.

    Make sure that your ranges allow for differentiation between initiatives to enable prioritization. For instance, if you set your ranges too low, all your initiatives will be assessed as high cost, providing no help when you must prioritize them.

    3.2.2 Define benefits criteria

    Estimated Time: 30 minutes

    1. On the Setup tab of the Information Security Gap Analysis Tool, enter high, medium, and low values for the Alignment with Business Benefit.
      • This variable is meant to capture how well each initiative aligns with organizational goals and objectives.
      • By default, this benefit is linked directly to business goals through the primary and secondary security alignment goals. This allows the tool to automatically calculate the benefit based on the security alignment goals associated with each initiative.
      • If you change these values, you may need to override the calculated values in the prioritization tab.
    2. Enter a high, medium, and low value for the Security Benefit.
      • This variable is meant to capture the relative security benefit or risk reduction being provided by the gap initiative.
      • By default, this benefit is linked to security risk reduction.

    A screenshot showing the initiative benefits for estimation, part of the 'Setup' tab of the 'Information Security Gap Analysis Tool.'

    Some organizations prefer to use the “Security Benefit” criteria to demonstrate how well each initiative supports specific compliance goals.

    3.2.3 Complete the cost/benefit analysis

    Estimated Time: 1-2 hours

    1. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.
      • If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.
    2. Enter the estimated benefits, also using the criteria defined earlier.
      • The Alignment with Business benefit will be automatically populated, but you can override this value using the drop-down list if desired.

    A screenshot showing the estimated cost, estimated effort, and estimated benefits section, part of the 'Prioritization' tab of the 'Information Security Gap Analysis Tool.' Estimated cost and estimated effort are labeled with an arrow with number 1 on it, and estimated benefits is labeled with an arrow with a number 2 on it.

    3.2.4 Optionally enter detailed cost estimates

    Estimated Time: 30 minutes

    1. For each initiative, the tool will automatically populate the Detailed Cost Estimates and Detailed Staffing Estimates columns using the averages that you provided in steps 3.2.1 and 3.2.2. However, if you have more detailed data about the costs and effort requirements for an initiative, you can override the calculated data by manually entering it into these columns. For example:
      • You are planning to subscribe to a security awareness vendor, and you have a quote from them specifying that the initial cost will be $75,000.
      • You have defined your “Medium” cost range as being “$10-100K”, so you select medium as your initial cost for this initiative in step 3.2.3. As you defined the average for medium costs as being $50,000, this is what the tool will put into the detailed cost estimate.
      • You can override this average by entering $75,000 as the initial cost in the detailed cost estimate column.

    A screenshot showing the detailed cost estimates and detailed staffing estimates columns, part of the 'Prioritization' tab of the 'Information Security Gap Analysis Tool.' These columns are labeled with an arrow with a number 1 on it.

    Case Study

    Credit Service Company

    Industry: Financial Services

    Source: Info-Tech Research Group

    A chart titled 'Framework Components,' displaying how the Credit Service Company profiled in the case study performed a current state assessment, created gap initiatives, and prioritized gap initiatives.

    3.3 Prioritize initiatives

    Estimated Time: 2-3 hours

    1. As a group, review the results of the cost/benefit analysis. Optionally, complete the Other Considerations columns in the Prioritization tab:
      • Dependencies can refer to other initiatives on the list or any other dependency that relates to activities or projects within the organization.
      • Business impacts can be helpful to document as they may require additional planning and communication that could impact initiative timelines.
    2. Follow step 3.3.1 to create an effort map with the results of the cost/benefit analysis.
    3. Follow step 3.3.2 to assign initiatives into execution waves.

    Input

    • Gap analysis
    • Initiative list
    • Cost/benefit analysis

    Output

    • Prioritized list of initiatives

    Materials

    • Information Security Gap Analysis Tool
    • Whiteboard

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Download the Information Security Gap Analysis Tool

    3.3.1 Create effort map

    Estimated Time: 30 minutes

    1. On a whiteboard, draw the quadrant diagram shown.
    2. Create sticky notes for each initiative on your initiative list.
    3. For each initiative, use the “Cost/Effort Rating” and the “Benefit Rating” calculated on the Prioritization tab to place the corresponding sticky note onto the diagram.

    An effort map is a tool used for the visualization of a cost/benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized. In this example, the initiative “Update Security Policies” was assessed as low cost/effort (3) and high benefit (10).

    An image showing how 'update security policies,' as ranked on a cost/effort and benefit quadrant, translates to a cost/effort and benefit rating on the 'Prioritization' tab of the 'Information Security Gap Analysis Tool.'

    3.3.2 Assign initiatives to execution waves

    Estimated Time: 60 minutes

    1. Using sticky flip chart sheets, create four sheets and label them according to the four execution waves:
      • MUST DO – These are initiatives that need to get moving right away. They may be quick wins, items with critical importance, or foundational projects upon which many other initiatives depend.
      • SHOULD DO – These are important initiatives that need to get done but cannot launch immediately due to budget constraints, dependencies, or business impacts that require preparation.
      • COULD DO – Initiatives that have merit but are not a priority.
      • WON’T DO – Initiatives where the costs outweigh the benefits.
    2. Using the further instructions on the following slides, move the initiative sticky notes from your effort map into the waves.

    Considerations for prioritization

    • Starting from the top right of the effort map, begin pulling stickies off and putting them in the appropriate roadmap category.
    • Keep dependencies in mind. If an important initiative depends on a low-priority one being completed first, then pull dependent initiatives up the list.
    • It may be helpful to think of each wave as representing a specific time frame (e.g. wave 1 = first year of your roadmap, wave 2 = year two, wave 3 = year three).

    Info-Tech Insight

    Use an iterative approach. Most organizations tend to put too many initiatives into wave 1. Be realistic about what you can accomplish and take several passes at the exercise to achieve a balance.

    An image showing how to map the sticky notes from a sample exercise, as placed on a cost/effort and benefit quadrant, into waves.

    3.3.3 Finalize prioritization

    Estimated Time: 30 minutes

    1. Once you have completed placing your initiative sticky notes into the waves, update the Prioritization tab with the Roadmap Wave column.
    2. Optionally, use the Roadmap Sub-Wave column to prioritize initiatives within a single wave.
      • This will allow you more granular control over the final prioritization, especially where dependencies require extra granularity.

    Any initiatives that are currently in progress should be assigned to Wave 0.

    An image showing the roadmap wave and roadmap sub-wave sections, part of the 'Prioritization' tab of the 'Information Security Gap Analysis Tool.' Roadmap wave is labeled with an arrow with a number 1 on it, and roadmap sub-wave is labeled with an arrow with a number 2 on it.

    3.4 Build roadmap

    Estimated Time: 1-3 hours

    1. As a group, follow step 3.4.1 to create your roadmap by scheduling initiatives into the Gantt chart within the Information Security Gap Analysis Tool.
    2. Review the roadmap for resourcing conflicts and adjust as required.
    3. Review the final cost and effort estimates for the roadmap.

    Input

    • Gap analysis
    • Cost/benefit analysis
    • Prioritized initiative list
    • (Optional) List of other non-security IT and business projects

    Output

    • Security strategic roadmap

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Download the Information Security Gap Analysis Tool

    3.4.1 Schedule initiatives using the Gantt chart

    Estimated Time: 1-2 Hours

    1. On the Gantt Chart tab for each initiative, enter an owner (the individual who will be primarily responsible for execution).
    2. Additionally, enter a start month and year for the initiative and the expected duration in months.
      • You can filter the Wave column to only see specific waves at any one time to assist with the scheduling.
      • You do not need to schedule Wave 4 initiatives as the expectation is that these initiatives will not be done.

    Info-Tech Insight

    Use the Owner column to help identify resourcing constraints. If a single individual is responsible for many different initiatives that are planned to start at the same time, consider staggering those initiatives.

    An image showing the owner and planned start sections, part of the 'Security Roadmap Gantt Chart' tab of the 'Information Security Gap Analysis Tool.' The owner column is labeled with an arrow with a 1 on it, and the planned start column is labeled with an arrow with a 2 on it.

    3.4.2 Review your roadmap

    Estimated Time: 30-60 minutes

    1. When you have completed the Gantt chart, as a group review the overall roadmap to ensure that it is reasonable for your organization. Consider the following:
      • Do you have other IT or business projects planned during this time frame that may impact your resourcing or scheduling?
      • Does your organization have regular change freezes throughout the year that will impact the schedule?
      • Do you have over-subscribed resources? You can filter the list on the Owner column to identify potential over-subscription of resources.
      • Have you considered any long vacations, sabbaticals, parental leaves, or other planned longer-term absences?
      • Are your initiatives adequately aligned to your budget cycle? For instance, if you have an initiative that is expected to make recommendations for capital expenditure, it must be completed prior to budget planning.

    A screenshot image showing parts of the 'Security Roadmap Gantt Chart' tab with sample data in it. Taken from the 'Information Security Gap Analysis Tool.'

    3.4.3 Review your expected roadmap progression

    Estimated Time: 30 minutes

    1. If you complete the optional exercise of filling in the Estimated Gap Closure Percentage column on the Gap Analysis tab, the tool will generate a diagram showing how close to your target state you can expect to get based on the tasks and initiatives in your roadmap. You can review this diagram on the Results tab.
      • Remember that this Expected Maturity at End of Roadmap score assumes that you will complete all tasks and initiatives (including all Wave 4 initiatives).
    2. Copy the diagram into the Information Security Strategy Communication Deck.

    Info-Tech Insight

    Often, internal stakeholders will ask the question “If we do everything on this roadmap, will we be at our target state?” This diagram will help answer that question.

    A screenshot image showing the 'Expected Security Roadmap Progression' with sample data in it. Part of the 'Results' tab of the 'Information Security Gap Analysis Tool.'

    3.4.4 Review your cost/effort estimates table

    Estimated Time: 30 minutes

    1. Once you have completed your roadmap, review the total cost/effort estimates. This can be found in a table on the Results tab. This table will provide initial and ongoing costs and staffing requirements for each wave. This also includes the total three-year investment. In your review consider:
      • Is this investment realistic? Will completion of your roadmap require adding more staff or funding than you otherwise expected?
      • If the investment seems unrealistic, you may need to revisit some of your assumptions, potentially reducing target levels or increasing the amount of time to complete the strategy.
      • This table provides you with the information to have important conversations with management and stakeholders
    2. When you have completed your review, copy the table into the Information Security Strategy Communication Deck.

    A screenshot image showing the 'Information Security Roadmap Cost/Effort Estimates,' part of the 'Results' tab of the 'Information Security Gap Analysis Tool.'

    Phase 4

    Execute and Maintain

    Phase 1

    • 1.1 Define goals & scope
    • 1.2 Assess risks
    • 1.3 Determine pressures
    • 1.4 Determine risk tolerance
    • 1.5 Establish target state

    Phase 2

    • 2.1 Review Info-Tech’s security framework
    • 2.2 Assess your current state
    • 2.3 Identify gap closure actions

    Phase 3

    • 3.1 Define tasks & initiatives
    • 3.2 Perform cost/benefit analysis
    • 3.3 Prioritize initiatives
    • 3.4 Build roadmap

    Phase 4

    • 4.1 Build communication deck
    • 4.2 Develop a security charter
    • 4.3 Execute on your roadmap

    This phase will walk you through the following activities:

    • 4.1 Build your security strategy communication deck.
    • 4.2 Develop a security charter.
    • 4.3 Execute on your roadmap.

    4.1 Build your communication deck

    Estimated Time: 1-3 hours

    1. As a group, review the Information Security Strategy Communication Deck.
    2. Follow the instructions within the template and on the next few slides to customize the template with the results of your strategic roadmap planning.

    Input

    • Completed Security Requirements Gathering Tool
    • Completed Security Pressure Analysis Tool
    • Completed Security Gap Analysis Tool

    Output

    • Information Security Strategy Communication Deck

    Materials

    • Information Security Strategy Communication Deck

    Participants

    • Security Team
    • IT Leadership

    Download the Information Security Gap Analysis Tool

    4.1.1 Customize the Communication Deck

    Estimated Time: 1-2 hours

    1. When reviewing the Information Security Strategy Communication Deck, you will find slides that contain instructions within green text boxes. Follow the instructions within the boxes, then delete the boxes.
      • Most slides only require that you copy and paste screenshots or tables from your tools into the slides.
      • However, some slides require that you customize or add text explanations that need to reflect your unique organization.
      • It is recommended that you pay attention to the Next Steps slide at the end of the deck. This will likely have a large impact on your audience.
    2. Once you have customized the existing slides, you may wish to add additional slides. For instance, you may wish to add more context to the risk assessment or pressure analysis diagrams or provide details on high-priority initiatives.

    An image showing the 'Business Goals Cascade,' part of the 'Information Security Strategy Communication Deck.' A green box on top of the screenshot instructs you to 'Paste your goals cascade from the Information Security Requirements Gathering Tool here.'

    Consider developing multiple versions of the deck for different audiences. Senior management may only want an executive summary, whereas the CIO may be more interested in the methodology used to develop the strategy.

    Communication considerations

    Developing an information security strategy is only half the job. For the strategy to be successful, you will need to garner support from key internal stakeholders. These may include the CIO, senior executives, and business leaders. Without their support, your strategy may never get the traction it needs. When building your communication deck and planning to present to these stakeholders, consider the following:

    • Gaining support from stakeholders requires understanding their needs. Before presenting to a new audience, carefully consider their priorities and tailor your presentation to address them.
    • Use the communication deck to clarify the business context and how your initiatives that will support business goals.
    • When presenting to senior stakeholders, anticipate what questions they might ask and be sure to prepare answers in advance. Always be prepared to speak to any data point within the deck.
    • If you are going to present your strategy to a group and you anticipate that one or more members of that group may be antagonistic, seek out an opportunity to speak to them before the meeting and address their concerns one on one.

    If you have already fully engaged your key stakeholders through the requirements gathering exercises, presenting the strategy will be significantly easier. The stakeholders will have already bought in to the business goals, allowing you to show how the security strategy supports those goals.

    Info-Tech Insight

    Reinforce the concept that a security strategy is an effort to enable the organization to achieve its core mission and goals and to protect the business only to the degree that the business demands. It is important that stakeholders understand this point.

    4.2 Develop a security charter

    Estimated Time: 1-3 hours

    1. As a group, review the Information Security Charter.
    2. Customize the template as required to reflect your information security program. It may include elements such as:
      • A mission and vision statement for information security in your organization
      • The objectives and scope of the security program
      • A description of the security principles upon which your program is built
      • High-level roles and responsibilities for information security within the organization

    Input

    • Completed Security Requirements Gathering Tool
    • Completed Security Pressure Analysis Tool
    • Completed Security Gap Analysis Tool

    Output

    • Information security charter

    Materials

    • Information Security Charter

    Participants

    • Security Team

    Download the Information Security Gap Analysis Tool

    4.2.1 Customize the Information Security Charter

    Estimated Time: 1-3 hours

    1. Involve the stakeholders that were present during Phase 1 activities to allow you to build a charter that is truly reflective of your organization.
    2. The purpose of the security charter is too:
      • Establish a mandate for information security within the organization.
      • Communicate executive commitment to risk and information security management.
      • Outline high-level responsibilities for information security within the organization.
      • Establish awareness of information security within the organization.

    A screenshot of the introduction of the 'Information Security Charter' template.

    A security charter is a formalized and defined way to document the scope and purpose of your security program. It will define security governance and allow it to operate efficiently through your mission and vision.

    4.3 Execute on your roadmap

    1. Executing on your information security roadmap will require coordinated effort by multiple teams within your organization. To ensure success, consider the following recommendations:
      1. If you have a project management office, leverage them to help apply formal project management methodologies to your initiatives.
      2. Develop a process to track the tasks on your strategy task list. Because these will not be managed as formal initiatives, it will be easy to lose track of them.
      3. Develop a schedule for regular reporting of progress on the roadmap to senior management. This will help hold yourself and others accountable for moving the project forward.
    2. Plan to review and update the strategy and roadmap on a regular basis. You may need to add, change, or remove initiatives as priorities shift.

    Input

    • Completed Security Gap Analysis Tool

    Output

    • Execution of your strategy and roadmap

    Materials

    • Information Security Gap Analysis Tool
    • Project management tools as required

    Participants

    • Security Team
    • Project Management Office
    • IT and Corporate Teams, as required

    Info-Tech Insight

    Info-Tech has many resources that can help you quickly and effectively implement most of your initiatives. Talk to your account manager to learn more about how we can help your strategy succeed.

    Summary of Accomplishment

    Knowledge Gained

    • Knowledge of organizational pressures and the drivers behind them
    • Insight into stakeholder goals and obligations
    • A defined security risk tolerance information and baseline
    • Comprehensive knowledge of security current state and summary initiatives required to achieve security objectives

    Deliverables Completed

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com
    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Information Security Program Gap Analysis Tool

    Use our best-of-breed security framework to perform a gap analysis between your current and target states.

    Information Security Requirements Gathering Tool

    Define the business, customer, and compliance alignment for your security program.

    Related Info-Tech Research

    Develop a Security Operations Strategy

    A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.

    This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

    Implement a Security Governance and Management Program

    Your security governance and management program needs to be aligned with business goals to be effective.

    This approach also helps to provide a starting point to develop a realistic governance and management program.

    This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum.

    Align Your Security Controls to Industry Frameworks for Compliance

    Don’t reinvent the wheel by reassessing your security program using a new framework.

    Instead, use the tools in this blueprint to align your current assessment outcomes to required standards.

    Bibliography

    “2015 Cost of Data Breach Study: United States.” Sponsored by IBM. Ponemon Institute, May 2015. Web.

    “2016 Cost of Cyber Crime Study & the Risk of Business Innovation.” Ponemon Institute, Oct. 2016. Web. 25 Oct. 2016.

    “2016 Cost of Data Breach Study: Global Analysis.” Ponemon Institute, June 2016. Web. 26 Oct. 2016.

    “2016 Data Breach Investigations Report.” Verizon, 2016. Web. 25 Oct. 2016.

    “2016 NowSecure Mobile Security Report.” NowSecure, 2016. Web. 5 Nov. 2016.

    “2017 Cost of Cyber Crime Study.” Ponemon Institute, Oct. 2017. Web.

    “2018 Cost of Data Breach Study: Global Overview.” Ponemon Institute, July 2018. Web.

    “2018 Data Breach Investigations Report.” Verizon, 2018. Web. Oct. 2019.

    “2018 Global State of Information Security Survey.” CSO, 2017. Web.

    “2018 Thales Data Threat Report.” Thales eSecurity, 2018. Web.

    “2019 Data Breach Investigations Report.” Verizon, 2020. Web. Feb. 2020.

    “2019 Global Cost of a Data Breach Study.” Ponemon Institute, Feb. 2020. Web.

    “2019 The Cost of Cyber Crime Study.” Accenture, 2019. Web Jan 2020.

    “2020 Thales Data Threat Report Global Edition.” Thales eSecurity, 2020. Web. Mar. 2020.

    Ben Salem, Malek. “The Cyber Security Leap: From Laggard to Leader.” Accenture, 2015. Web. 20 Oct. 2016.

    “Cisco 2017 Annual Cybersecurity Report.” Cisco, Jan. 2017. Web. 3 Jan. 2017.

    “Cyber Attack – How Much Will You Lose?” Hewlett Packard Enterprise, Oct. 2016. Web. 3 Jan. 2017.

    “Cyber Crime – A Risk You Can Manage.” Hewlett Packard Enterprise, 2016. Web. 3 Jan. 2017.

    “Global IT Security Risks Survey.” Kaspersky Lab, 2015. Web. 20 October 2016.

    “How Much Is the Data on Your Mobile Device Worth?” Ponemon Institute, Jan. 2016. Web. 25 Oct. 2016.

    “Insider Threat 2018 Report.” CA Technologies, 2018. Web.

    “Kaspersky Lab Announces the First 2016 Consumer Cybersecurity Index.” Press Release. Kaspersky Lab, 8 Sept. 2016. Web. 3 Jan. 2017.

    “Kaspersky Lab Survey Reveals: Cyberattacks Now Cost Large Businesses an Average of $861,000.” Press Release. Kaspersky Lab, 13 Sept. 2016. Web. 20 Oct. 2016.

    “Kaspersky Security Bulletin 2016.” Kaspersky Lab, 2016. Web. 25 Oct. 2016.

    “Managing Cyber Risks in an Interconnected World: Key Findings From the Global State of Information Security Survey 2015.” PwC, 30 Sept. 2014. Web.

    “Measuring Financial Impact of IT Security on Business.” Kaspersky Lab, 2016. Web. 25 Oct. 2016.

    “Ponemon Institute Releases New Study on How Organizations Can Leapfrog to a Stronger Cyber Security Posture.” Ponemon Institute, 10 Apr. 2015. Web. 20 Oct. 2016.

    “Predictions for 2017: ‘Indicators of Compromise’ Are Dead.” Kaspersky Lab, 2016. Web. 4 Jan. 2017.

    “Take a Security Leap Forward.” Accenture, 2015. Web. 20 Oct. 2016.

    “Trends 2016: (In)security Everywhere.” ESET Research Laboratories, 2016. Web. 25 Oct. 2016.

    Research Contributors

    • Peter Clay, Zeneth Tech Partners, Principal
    • Ken Towne, Zeneth Tech Partners, Security Architect
    • Luciano Siqueria, Road Track, IT Security Manager
    • David Rahbany, The Hain Celestial Group, Director IT Infrastructure
    • Rick Vadgama, Cimpress, Head of Information Privacy and Security
    • Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
    • Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
    • Trevor Butler, City of Lethbridge, Information Technology General Manager
    • Shane Callahan, Tractor Supply, Director of Information Security
    • Jeff Zalusky, Chrysalis, President/CEO
    • Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
    • Dan Humbert, YMCA of Central Florida, Director of Information Technology
    • Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
    • Jason Bevis – FireEye, Senior Director Orchestration Product Management - Office of the CTO
    • Joan Middleton, Village of Mount Prospect, IT Director
    • Jim Burns, Great America Financial Services, Vice President Information Technology
    • Ryan Breed, Hudson’s Bay, Information Security Analyst
    • James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems

    Create an IT View of the Service Catalog

    • Buy Link or Shortcode: {j2store}396|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $59,399 Average $ Saved
    • member rating average days saved: 66 Average Days Saved
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • Organizations often don’t understand which technical services affect user-facing services.
    • Organizations lack clarity around ownership of responsibilities for service delivery.
    • Organizations are vulnerable to change-related incidents when they don’t have insight into service dependencies and their business impact.

    Our Advice

    Critical Insight

    • Even IT professionals underestimate the effort and the complexity of technical components required to deliver a service.
    • Info-Tech’s methodology promotes service orientation among technical teams by highlighting how their work affects the value of user-facing services.
    • CIOs can use the technical part of the catalog as a tool to articulate the value, dependencies, and constraints of services to business leaders.

    Impact and Result

    • Extend the user-facing service catalog to document the people, processes, and technology required to deliver user-facing services.
    • Bring transparency to how services are delivered to better articulate IT’s capabilities and strengthen IT-business alignment.
    • Increase IT’s ability to assess the impact of changes, make informed decisions, and mitigate change-related risks.
    • Respond to incidents and problems in the IT environment with more agility due to reduced diagnosis time for issues.

    Create an IT View of the Service Catalog Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build the technical components of your service catalog, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch the project

    Build a strong foundation for the project to increase the chances of success.

    • Create an IT View of the Service Catalog – Phase 1: Launch the Project
    • Service Catalog Extension Project Charter
    • Service Catalog Extension Training Deck

    2. Identify service-specific technologies

    Identify which technologies are specific to certain services.

    • Create an IT View of the Service Catalog – Phase 2: Identify Service-Specific Technology
    • IT Service Catalog

    3. Identify underpinning technologies

    Determine which technologies underpin the existence of user-facing services.

    • Create an IT View of the Service Catalog – Phase 3: Identify Underpinning Services

    4. Map the people and processes to the technologies they support

    Document the roles and responsibilities required to deliver each user-facing service.

    • Create an IT View of the Service Catalog – Phase 4: Determine People & Process
    • Service Definitions: Visual Representations
    [infographic]

    Workshop: Create an IT View of the Service Catalog

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Launch the Project

    The Purpose

    Build a foundation to kick off the project.

    Key Benefits Achieved

    A carefully selected team of project participants.

    Identified stakeholders and metrics.

    Activities

    1.1 Create a communication plan

    1.2 Complete the training deck

    Outputs

    Project charter

    Understanding of the process used to complete the definitions

    2 Identify Service-Specific Technologies and Underpinning Technologies

    The Purpose

    Determine the technologies that support the user-facing services.

    Key Benefits Achieved

    Understanding of what is required to run a service.

    Activities

    2.1 Determine service-specific technology categories

    2.2 Identify service-specific technologies

    2.3 Determine underpinning technologies

    Outputs

    Logical buckets of service-specific technologies makes it easier to identify them

    Identified technologies

    Identified underpinning services and technologies

    3 Identify People and Processes

    The Purpose

    Discover the roles and responsibilities required to deliver each user-facing service.

    Key Benefits Achieved

    Understanding of what is required to deliver each user-facing service.

    Activities

    3.1 Determine roles required to deliver services based on organizational structure

    3.2 Document the services

    Outputs

    Mapped responsibilities to each user-facing service

    Completed service definition visuals

    4 Complete the Service Definition Chart and Visual Diagrams

    The Purpose

    Create a central hub (database) of all the technical components required to deliver a service.

    Key Benefits Achieved

    Single source of information where IT can see what is required to deliver each service.

    Ability to leverage the extended catalog to benefit the organization.

    Activities

    4.1 Document all the previous steps in the service definition chart and visual diagrams

    4.2 Review service definition with team and subject matter experts

    Outputs

    Completed service definition visual diagrams and completed catalog

    Social Media Management Software Selection Guide

    • Buy Link or Shortcode: {j2store}570|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Social media has changed the way businesses interact with their customers. It is essential to engage with your customers regularly and in a timely manner.
    • Businesses must stay on top of the latest news and update the public regarding the status of downtime or any mishaps.
    • Customers are present in multiple social media platforms, and it is important for businesses to engage with all audiences without alienating one group.

    Our Advice

    Critical Insight

    • There are many social media platforms, and any post, image, or other content must be uploaded on all the platforms with minimal delay.
    • It is often difficult to manage replies and responses to all social media platforms promptly.
    • Measuring key performance metrics is crucial to obtain targeted ROI. Calculating ROI across multiple platforms with various audiences is a challenge.

    Impact and Result

    • A business’ social media presence is an extension of the organization, and the social media management strategy must align with the organization's values.
    • Choose a social media management platform that is right for you by aligning your needs without falling for bells and whistles. Vendors offer a lot of features that are not helpful for most day-to-day activities.
    • Ensure the social media management platform has support and integrations for all the platforms that you require.

    Social Media Management Software Selection Guide Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Social Media Management Software Selection Guide – A deck outlining the features of SMMP tools and top vendors in the marketspace.

    This research offers insight into web analytic tools, key trends in the marketspace, and advanced web analytics techniques. It also provides an overview of the ten top vendors in the marketspace.

    • Social Media Management Software Selection Guide Storyboard
    [infographic]

    Further reading

    Social Media Management Software Selection Guide

    Identify the best tools for your social media management needs.

    Analyst Perspective

    Connecting through social media is an essential way to understand and engage with your customers.

    Social media management platforms (SMMP) allow businesses to engage with customers more efficiently. Ten years ago, Facebook and Twitter dominated the social media space, but many alternatives have emerged that attract a wide variety of audiences today. Every social media platform has a unique demographic; for instance, LinkedIn attracts an audience looking to develop their professional career, while Snapchat attracts those who want to share their everyday casual experience.

    It is important for businesses and brands to engage with all kinds of audiences without alienating a certain group. Domino's, for example, can sell pizzas to business professionals and teenagers alike, so connecting with both customer segments via personalized and meaningful posts in their preferred platform is a great way to grow their business.

    To successfully implement a social media management platform, organizations need to ensure they have their requirements and business needs shortlisted and choose vendors that ensure the best return on investment (ROI).

    An image of Sai Krishna Rajaramagopalan
    Sai Krishna Rajaramagopalan
    Research Specialist, Customer Experience & Application Insights
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Social media has changed the way businesses interact with customers. It is essential to engage with your them regularly and in a timely manner.
    • Businesses must stay on top of the latest news and update the public regarding any downtime or mishaps.
    • Customers are present on multiple social media platforms, and businesses need to engage all audiences without neglecting or alienating any one group.

    Common Obstacles

    • There are many social media platforms, and any post, image, or other content must be uploaded on every platform with minimal delay.
    • It is often difficult to manage audience interaction on all social media platforms in a timely manner.
    • Measuring key performance metrics is crucial to obtaining the targeted ROI. Calculating ROI across multiple platforms with varying audiences is a challenge.

    Info-Tech's Approach

    • Social media presence is an extension of the organization, and the social media management strategy must align with organizational values.
    • Understand your feature requirements and don't for bells and whistles. Vendors offer many features that are not helpful during 80% of day-to-day activities. Choose the SMMP that is right for your organization's needs.
    • Ensure the SMMP has support and integrations for all the platforms that you require.

    Info-Tech Insight

    Choosing a good SMMP is only the first step. Having great social media managers who understand their audience is essential in maintaining a healthy relationship with your audience.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2

    Call #1: Understand what a social media management platform (SMMP) is.
    Call #2: Build the business case to select an SMMP.

    Call #3: Define your key SMMP requirements.
    Call #4: Build procurement items, such as a request for proposal (RFP).
    Call #5: Evaluate the SMMP solution landscape and shortlist viable options.

    A Guided implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    The SMMP selection process should be broken into segments:

    1. SMMP shortlisting with this buyer's guide
    2. Structured approach to selection
    3. Contract review

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    What exactly is an SMMP platform?

    A social media management platform is a software solution that enables businesses and brands to manage multiple social media accounts. It facilitates making posts, monitoring metrics, and engaging with your audience.

    An SMMP platform offers many key features, including but not limited to the following capabilities:

    • Integrate with popular social media platforms
    • Post images, text, videos on multiple platforms at once
    • Schedule posts
    • Track and monitor activity on social media accounts
    • Send replies and view likes and comments across all accounts
    • Reporting and analytics
    • Send alerts and notifications regarding key events
    • Multilingual support and translation

    Info-Tech Insight

    Social media management platforms have continuously expanded their features list. It is, however, essential not to get lost in endless features to remain competitive and ensure the best ROI.

    Key trends – short-form videos drive the most engagement

    Short-form videos

    Short-form videos are defined as videos less than two minutes long. Shorter videos take substantially less time and effort to consume, making them very attractive for marketing brands to end users. According to a study conducted by Vidyard, more than 50% of viewers end up watching an entire video if it's less than one minute. Another study finds that over 93% of the surveyed brands sold their product or service to a customer through a social media video.

    Popular social media platforms such as TikTok, Instagram, YouTube etc. have caught on to this trend and introduced short-form videos, more commonly called "shorts". It's also common for content creators and brands to cut and upload short clips from longer videos to drive more engagement with viewers.

    Key Trends

    Short-form videos have higher viewership and view time compared to long videos.

    58%

    About 58% of viewers watch the video to the end if it’s under one minute long. A two-minute video manages to keep around 50% of its viewers till the end.
    Source: Oberlo, 2020

    30%

    Short-form videos have the highest ROI of any social media marketing at 30%.
    Source: Influencer Marketing Hub, 2023

    Key trends – influencer marketing

    Influencer marketing

    Influencer marketing is the collaboration of brands with online influencers and content creators across various social media platforms to market their products and services. Influencers are not necessarily celebrities; they can be any individual with a dedicated community. This makes influencers abundant. For instance, compare the number of popular football players with the number of YouTubers on the planet.

    Unlike traditional marketing methods, influencer marketing is effective across different budget levels. This is because the engagement level of small influencers with 10,000 followers is higher than the engagement level of large influencers with millions of followers. If a brand is budget conscious, working with smaller influencers still gives a good ROI. For every dollar spent on influencer marketing, the average ROI is $5.78.

    Key Trends

    61%

    A recent study by Matter found that 61% of consumers trust influencers' recommendations over branded social media content.
    Source: Shopify, 2022

    According to data gathered by Statista, the influencer marketing industry has more than doubled since 2019. It was worth $16.4 billion in 2022.
    Source: Statista, 2023

    Executive Brief Case Study

    INDUSTRY: Retail
    SOURCE: "5 Influencer Marketing Case Studies," HubSpot

    H&M

    H&M was looking to build awareness and desirability around the brand to drive clothing sales during the holiday season. They decided to partner with influencers and align content with each celebrity's personality and lifestyle to create authentic content and messaging for H&M. H&M selected four lesser-known celebrities with highly engaged and devoted social media followings: Tyler Posey, Peyton List, Jana Kramer, and Hannah Simone.

    They posted teaser clips across various platforms to create buzz about the campaign a couple of days before the full, one-minute videos were released. Presenting the content two different times enabled H&M to appeal to more viewers and increase the campaign's visibility. Two of the celebrities, List and Kramer, garnered more views and engagement on the short clip than the full video, highlighting that a great short clip can be more effective than long-form content.

    Results

    The campaign achieved 12 million views on YouTube, 1.3 million likes, 14,000 comments, and 19,000 shares. The average engagement with consumers across all four celebrities was 10%.

    A screenshot of Tyler Posey's sponsored video.

    Tyler Posey's sponsored video achieved:

    • 25% engagement rate on Instagram
    • 14% engagement rate across Facebook, Twitter, and Instagram

    Key trends – social commerce is the future of e-commerce

    Social commerce

    Social commerce is the selling of goods and services through social media. This may involve standalone stores on social media platforms or promotions on these platforms which link to traditional e-commerce platforms.

    Social media platforms contain more data about consumers than traditional platforms, which allows more accurate targeting of ads and promotions. Additionally, social commerce can place ads on popular influencer stories and posts, taking advantage of influencer marketing without directly involving the influencers.

    Popular platforms have opened their own built-in stores. Facebook created Marketplace and Facebook Shops. TikTok soon followed with the TikTok Shopping suite. These stores allow platforms to lower third-party costs and have more control over which products are featured. This also creates a transactional call to action without leaving social media.

    Key Trends

    2020 saw a sizable increase in social commerce occurring on social media networks, with users making purchases directly from their social accounts.

    30.8%

    Sales through social commerce are expected to grow about 30.8% per year from 2020 to 2025. The growth rate is expected to increase to 35% in 2026.
    Source: Oberlo, 2020

    46%

    China has the highest social commerce adoption rate in the world, with 46% of all internet users making at least one purchase. The US is second with a 36% adoption rate.
    Source: Influencer Marketing Hub, 2022

    Executive Brief Case Study

    BestBuy

    The Twitter Shop Module allows select brands to showcase products at the top of Twitter business profiles. Users can scroll through a carousel of products on a brand's profile and tap on individual products to read more and make purchases without leaving the platform.

    While the results of Twitter's Shop Module experiment are still pending, brands aren't waiting around to sell on the platform. Best Buy and others continue to link to well-formatted product pages directly in their Tweets.

    Clear, direct calls to action such as "Pick yours up today" encourage interested audiences to click through, learn more, and review options for purchase. In this social commerce example, Best Buy also makes optimal use of a Tweet's character limit. In just a few words, the brand offers significant savings for a high-quality product, then doubles down with a promotional trade-in offer. Strong imagery is the icing on the cake.

    INDUSTRY: Retail
    SOURCE: "5 genius social commerce examples," Sprout Social, 2021

    Image shows a social media post by Best Buy.

    Key trends – social media risk management is crucial

    Crisis management

    Crisis management is the necessary intervention from an organization when negative news spreads across social media platforms. With how interconnected people are due to social media, news can quickly spread across different platforms.

    Organizations must be prepared for difficult situations such as negative feedback for a product or service, site outages, real-world catastrophes or disasters, and negative comments toward the social media handle. There are tools that organizations can use to receive real-time updates and be prepared for extreme situations.

    While the causes are often beyond control, organizations can prepare by setting up a well-constructed crisis management strategy.

    Key Trends

    75%

    75% of respondents to PwC's Global Crisis Survey said technology has facilitated the coordination of their organization's crisis response team.
    Source: PwC, 2021

    69%

    69% of business leaders reported experiencing a crisis over a period of five years, with the average number of crises being three.
    Source: PwC, 2019

    Executive Brief Case Study

    INDUSTRY: Apparel
    SOURCE: “Social Media Crisis Management 3 Examples Done Right,” Synthesio

    Nike

    On February 20, 2019, Zion Williamson, a star player from Duke University, suffered a knee injury when a malfunctioning Nike shoe fell apart. This accident happened less than a minute into a highly anticipated game against North Carolina. Media outlets and social media users quickly began talking. ESPN had broadcast the game nationally. On Twitter, former President Barack Obama, who was watching the game courtside, expressed his well-wishes to Williamson, as did NBA giants like LeBron James.

    This accident was so high profile that Nike stock dropped 1.7% the following day. Nike soon released a statement expressing its concern and well-wishes for Williamson. The footwear megabrand reassured the world that its teams were "working to identify the issue." The following day, Nike sent a team to Durham, North Carolina, where the game took place. This team then visited Nike's manufacturing site in China and returned with numerous suggestions.

    About a month later, Williamson returned to the court with custom shoes, which he told reporters were "incredible." He thanked Nike for creating them.

    An image of a post by Time about Zion Williamson's injury.

    Get to know the key players in the SMMP landscape

    These next slides provide a top-level overview of the popular players you will encounter in the SMMP shortlisting process.

    A collection of the logos for the SMPP key players, discussed later in this blueprint.

    Evaluate software category leaders through vendor rankings and awards

    SoftwareReviews

    An Image of SoftwareReviews data quadrant analysis

    The data quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.
    Vendors are ranked by their composite score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

    An image of SoftwareReviews Emotional Footprint.

    The emotional footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.
    Vendors are ranked by their customer experience (CX) score, which combines the overall emotional footprint rating with a measure of the value delivered by the solution.

    Speak with category experts to dive deeper into the vendor landscape

    SoftwareReviews

    CLICK HERE to ACCESS

    Comprehensive software reviews

    to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    Fact-based reviews of business software from IT professionals.

    Product and category reports with state-of-the-art data visualization.

    Top-tier data quality backed by a rigorous quality assurance process.

    User-experience insight that reveals the intangibles of working with a vendor.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech and SoftwareReviews provides the most comprehensive unbiased data on today's technology. Combined with the insight of our expert analysts, our members receive unparalleled support in their buying journey.

    The logo for HubSpot

    Est. 2006 | MA, USA | NYSE: HUBS

    bio

    From attracting visitors to closing customers, HubSpot brings the entire marketing funnel together for less hassle, more control, and an inbound marketing strategy.

    An image of SoftwareReviews analysis for HubSpot

    SoftwareReviews' SMMP Rankings

    Strengths:

    • Extensive functionality
    • Great for midmarket and large enterprises
    • Offers free trial

    Areas to improve:

    • Comparatively expensive
    • Steep price increase between various tiers of offering

    The logo for HubSpot

    *Pricing correct as of November 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    HubSpot offers a robust social media management platform that enables organizations to run all social media campaigns from a central location. HubSpot is suitable for a range of midmarket and enterprise use cases. HubSpot offers a free base version of the platform that freelancers and start-ups can take advantage of. The free version can also be used to trial the product prior to deciding on purchase.

    However, HubSpot is relatively expensive compared to its competitors. The free tools are not sustainable for growing businesses and some essential features are locked behind professional pricing. The price increase from one tier to another – specifically from starter to professional – is steep, which may discourage organizations looking for a "cheap and cheerful" product.

    History

    An image of the timeline for HubSpot

    Starter

    • Starts at $45
    • Per month
    • Small businesses

    Professional

    • Starts at $800
    • Per month
    • Medium/large businesses

    Enterprise

    • Starts at $3600
    • Per month
    • Large enterprises

    The logo for Sprout Social

    Est. 2010 | IL, USA | NASDAQ: SPT

    bio

    People increasingly turn to social media to engage with your business. Sprout Social provides powerful tools to personally connect with customers, solve issues, and create brand advocates.

    An image of SoftwareReviews analysis for Sprout Social

    SoftwareReviews' SMMP Rankings

    Strengths:

    • Automated response feature
    • Great price for base offering

    Areas to improve:

    • Advanced features are very expensive
    • No free trial offered

    The logo for Sprout Social

    *Pricing correct as of November 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    Sprout Social offers strong social feed management and social customer service capabilities. It also provides powerful analytical tools to monitor multiple social media accounts. The listening functionality helps discover trends and identify gaps and opportunities. It is also one of the very few platforms to provide automated responses to incoming communications, easing the process of managing large and popular brands.

    Although the starting price of each tier is competitive, advanced analytics and listening come at a steep additional cost. Adding one additional user to the professional tier costs $299 which is a 75% increase in cost. Sprout Social does not offer a free tier for small businesses to trial.

    History

    An image of the timeline for Sprout Social

    Standard

    • Starts at $249
    • Per month
    • Small businesses
    • Five social profiles

    Professional

    • Starts at $399
    • Per month
    • Medium/large businesses

    Advanced

    • Starts at $499
    • Per month
    • Medium/large businesses

    Enterprise

    • Opaque pricing
    • Request a quote
    • Large enterprises

    The logo for Hootsuite

    Est. 2008 | BC, CANADA |PRIVATE

    bio

    Manage social networks, schedule messages, engage your audiences, and measure ROI right from the dashboard.

    SoftwareReviews' SMMP Rankings

    Strengths:

    • Automatic scheduling functionality
    • Competitor analysis
    • 30-day free trial

    Areas to improve:

    • Advanced functionalities require additional purchase and are expensive

    The logo for Hootsuite

    *Pricing correct as of November 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    Hootsuite is one of the largest players in the social media management space with over 18 million users. The solution has great functionality covering all the popular social media platforms like Facebook, Instagram, Twitter, and Pinterest. One popular and well-received feature is the platform’s ability to schedule posts in bulk. Hootsuite also provides an automatic scheduling feature that uses algorithms to determine the optimal time to post to maximize viewership and engagement. Additionally, the platform can pull analytics for all competitors in the same marketspace as the user to compare performance.

    Hootsuite offers buyers a 30-day free trial to familiarize with the platform and provides unlimited post scheduling across all their plans. Features like social listening, employee advocacy, and ROI reporting, however, are not included in these plans and require additional purchase.

    History

    An image of the timeline for Hootsuite

    Professional

    • Starts at $49*
    • Per month
    • 1 user and 10 social accounts

    Team

    • Starts at $249*
    • Per month
    • 3 users and 20 social accounts

    Business

    • Starts at $739*
    • Per month
    • 5 users and 35 social accounts

    Enterprise

    • Custom built and priced
    • Starts at 5 users and 50 social accounts

    The logo for Sprinklr

    Est. 2009 | NY, USA | NYSE: CXM

    bio

    With social engagement & sales, you can deliver a positive experience that's true to your brand - no matter where your customers are digitally - from a single, unified platform.

    An image of SoftwareReviews analysis for Sprinklr

    SoftwareReviews' SMMP Rankings

    Strengths

    • Extensive social analytics functionality
    • Advertising and sales capabilities

    Areas to improve:

    • Not suitable for small to medium businesses
    • Opaque pricing

    The logo for Sprinklr

    Sprinklr is a vendor focused on enterprise-grade capabilities that offers a comprehensive unified customer experience management (CXM) platform.

    Their product portfolio offers an all-in-one solution set with an extensive list of features to accommodate all marketing and communication needs. Sprinklr comes integrated with products consisting of advertising, marketing, engagement, and sales capabilities. Some of the key functionality specific to social media includes sentiment analysis, social reporting, advanced data filtering, alerts and notifications, competitor analysis, post performance, and hashtag analysis.

    History

    An image of the timeline for Sprinklr

    Sprinklr – Opaque Pricing:
    "Request a Demo"

    The logo for Zoho Social

    Est. 1996 | TN, INDIA | PRIVATE

    bio

    Zoho Social is a complete social media management tool for growing businesses & agencies. It helps schedule posts, monitor mentions, create unlimited reports, and more. Zoho Social is from Zoho.com—a suite of 40+ products trusted by 30+ million users.

    An image of SoftwareReviews analysis for Zoho Social” data-verified=

    SoftwareReviews' SMMP Rankings

    Strengths:

    • Provides integration capabilities with other Zoho products
    • Competitive pricing

    Areas to improve:

    • Base functionality is limited
    • The two starting tiers are limited to one user

    The logo for Zoho Social

    *Pricing correct as of August 2021. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    Zoho differentiates itself from competitors by highlighting integration with other products under the Zoho umbrella – their adjacent tool sets allow organizations to manage emails, projects, accounts, and webinars. Zoho also offers the choice of purchasing their social media management tool without any of the augmented CRM capabilities, which is priced quite competitively.

    The social media management tools are offered in three plans. Each plan allows the ability to publish and schedule posts across nine platforms, access summary reports and analytics, and access a Bit.ly integration & URL shortener. The standard and professional plans are limited to one brand and one team member, with the option to add team members or social channels for an additional cost.

    YouTube support is exclusive to the premium offering.

    History

    An image of the timeline for Zoho Social

    Standard

    • Starts at $10*
    • Per month, billed annually
    • 9 channels and 1 team member

    Professional

    • Starts at $30*
    • Per month, billed annually
    • Option to add team members for additional cost

    Premium

    • Starts at $40*
    • Per month, billed annually
    • Starts at 10 channels and 3 team members

    The logo for MavSocial

    Est. 2012 | CA, USA | PRIVATE

    bio

    MavSocial is a multi-award-winning, fully integrated social media management & advertising solution for brands and agencies.

    An image of SoftwareReviews analysis for MavSocial

    SoftwareReviews' SMMP Rankings

    Strengths

    • Content management capabilities
    • Offers millions of stock free images

    Areas to improve:

    • Limited market footprint compared to competitors
    • Not ideal for large enterprises

    The logo for MavSocial

    *Pricing correct as of November 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    In addition to social media management, MavSocial is also an excellent content management tool. A centralized platform is offered that can store many photos, videos, infographics, and more, which can be accessed anytime. The solution comes with millions of free stock images to use. MavSocial is a great hybrid social media and content management solution for small and mid-sized businesses and larger brands that have dedicated teams to manage their social media. MavSocial also offers campaign planning and management, scheduling, and social inbox functionality. The entry-level plan starts at $78 per month for three users and 30 profiles. The enterprise plan offers fully configurable and state-of-the-art social media management tools, including the ability to manage Facebook ads.

    History

    An image of the timeline for MavSocial

    Pro

    • Starts at $78*
    • Per month
    • Max. 3 users and 30 Profiles

    Business

    • Starts at $249*
    • Per month
    • 5 users, 40 profiles
    • Ability to expand users and profiles

    Enterprise

    • Starts at $499*
    • Per month
    • Fully customized

    The logo for Khoros

    Est. 2019 | TX, USA | PRIVATE

    bio

    Use the Khoros platform (formerly Spredfast + Lithium) to deliver an all-ways connected experience your customers deserve.

    An image of SoftwareReviews analysis for Khoros

    SoftwareReviews' SMMP Rankings

    Strengths

    • Offers a dedicated social strategic service team
    • Extensive functionality

    Areas to improve:

    • Opaque pricing
    • Not suitable for small or medium businesses

    The logo for Khoros

    Khoros is the result of the merger between two social marketing platforms - Spredfast and Lithium. The parent companies have over a decade of experience offering social management tools. Khoros is widely used among many large brands such as StarHub and Randstad. Khoros is another vendor that is primarily focused on large enterprises and does not offer plans for small/medium businesses. Khoros offers a broad range of functionality such as social media marketing, customer engagement, and brand protection with visibility and controls over social media presence. Khoros also offers a social strategic services team to manage content strategy, brand love, reporting, trend tracking, moderation, crisis and community management; this team can be full service or a special ops extension of your in-house crew.

    History

    An image of the timeline for Khoros

    Khoros – Opaque Pricing:
    "Request a Demo"

    The logo for Sendible

    Est. 2009 | UK | PRIVATE

    bio

    Sendible allows you to manage social networks, schedule messages, engage your audiences, and measure ROI right from one easy-to-use dashboard.

    An image of SoftwareReviews analysis for Sendible

    SoftwareReviews' SMMP Rankings

    Strengths

    • Great integration capabilities
    • Competitive pricing
    • Scheduling functionality

    Areas to improve:

    • Limited footprint compared to competitors
    • Better suited for agencies

    The logo for Sendible

    *Pricing correct as of November 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    Sendible primarily markets itself to agencies rather than individual brands or businesses. Sendible's key value proposition is its integration capabilities. It can integrate with 17 different tools including Meta, Twitter, Instagram, LinkedIn, Google My Business (GMB), YouTube, WordPress, Canva, Google Analytics, and Google Drive. In addition to normal reporting functionality, the Google Analytics integration allows customers to track clickthrough and user behavior for traffic coming from social media channels.

    All plans include the functionality to schedule at least ten posts. Sendible offers excellent collaboration tools, allowing teams to work on assigned tasks and have content approved before they are scheduled to ensure quality control. Sendible offers four plans, with the option to save an additional 15% by signing up for annual payments.

    History

    An image of the timeline for Sendible

    Creator

    • Starts at $29
    • Price per month
    • For freelancers
    • One brand

    Traction

    • Starts at $89
    • Price per month
    • Start-up agencies & brands. 4+ brands

    Scale

    • Starts at $199
    • Price per month
    • For growing agencies & brands

    Custom

    • Opaque pricing
    • Request a quote
    • For large teams & agencies

    The logo for Agorapulse

    Est. 2010 | FRANCE | PRIVATE

    bio

    Agorapulse is an affordable social media dashboard that helps businesses and agencies easily publish content and manage their most important conversations on their social networks.

    An image of SoftwareReviews analysis for Agorapulse

    SoftwareReviews' SMMP Rankings

    Strengths

    • ROI calculation for Facebook
    • Competitor analysis
    • Social inbox functionality

    Areas to improve:

    • Targeted toward agencies
    • Advanced features can't be purchased under lower tier plans

    The logo for Agorapulse

    *Pricing correct as of November 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    Although Agorapulse offers the solution for both agencies and business, they primarily focus on agencies. In addition to the standard social media management functionality, Agorapulse also offers features such as competitor analysis and Facebook contest apps at an affordable price point. They also offer social inbox functionality, allowing the ability to manage the inbox and reply to any message or comment across all social profiles through a single platform.

    The solution is offered in three plans. The pro plan allows ten social profiles and two users. Additional social profiles and users can only be purchased under the premium plan. All plans include ROI calculation for Facebook, but if you want this functionality for other platforms, that's exclusive to the enterprise plan.

    History

    An image of the timeline for Agorapulse

    Pro

    • Starts at $79
    • Price per month
    • 10 social profiles and 2 users

    Premium

    • Starts at $199
    • Price per month
    • 20 social profiles and 2 brands

    Enterprise

    • Opaque pricing
    • 40+ social profiles and 8+ users

    The logo for Buffer

    Est. 2010 | CA, USA | PRIVATE

    bio

    A better way to manage social media for your business. Buffer makes it easy to manage your business' social media accounts. Schedule posts, analyze performance, and collaborate with your team — all in one place.

    An image of SoftwareReviews analysis for Buffer

    SoftwareReviews' SMMP Rankings

    Strengths

    • Competitive pricing
    • Scheduling functionality
    • Mobile app

    Areas to improve:

    • Not suited for medium to large enterprises
    • Limited functionality

    The logo for Buffer

    *Pricing correct as of November 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    Buffer is a social media platform targeted toward small businesses. It is a great cost-effective option for those who want to manage a few social media profiles, with a free plan that lets one user access three social channels. At $5 per month, it's a great entry point for smaller companies to invest in social media management tools, offering functionality like post scheduling and link shortening and optimization tools for hashtags, tags, and mentions across platforms. All plans provide a browser extension, access to a mobile app, two-factor authentication, social media and email support, and access to the Buffer community. Customers can also trial any of the plans for 14 days before purchasing.

    history

    An image of the timeline for Buffer

    Essentials

    • Starts at $5
    • Per month per channel
    • Basic functionality

    Team

    • Starts at $10
    • Per month per channel
    • Adds reporting capabilities

    Agency

    • Starts at $100
    • Per month per channel

    Leverage Info-Tech's research to plan and execute your SMMP implementation

    Use Info-Tech Research Group's three-phase implementation process to guide your own planning.

    • Assess
    • Prepare
    • Govern & Course Correct

    An image of the title page for Info-Tech's governance and management of enterprise software implementation

    Establish and execute an end-to-end, Agile framework to succeed with the implementation of a major enterprise application.

    Visit this link

    Ensure your implementation team has a high degree of trust and communication

    If external partners are needed, dedicate an internal resource to managing vendor and partner relationships.

    Communication

    Teams must have a communication strategy. This can be broken into:

    • Regularity: Having a set time each day to communicate progress and a set day to conduct retrospectives.
    • Ceremonies: Introducing awards and continually emphasizing delivery of value can encourage relationship building and constructive motivation.
    • Escalation: Voicing any concerns and having someone responsible for addressing those concerns.

    Proximity

    Distributed teams create complexity as communication can break down. This can be mitigated by:

    • Location: Placing teams in proximity can close the barrier of geographical distance and time zone differences.
    • Inclusion: Making a deliberate attempt to pull remote team members into discussions and ceremonies.
    • Communication tools: Having the right technology (e.g. video conference) can help bring teams closer together virtually.

    Trust

    Members should trust other members to contribute to the project and complete required tasks on time. Trust can be developed and maintained by:

    • Accountability: Having frequent quality reviews and feedback sessions. As work becomes more transparent, people become more accountable.
    • Role clarity: Having a clear definition of everyone's role.

    Summary of Accomplishment

    Knowledge Gained

    • What a social media management platform (SMMP) is
    • The history of SMMP
    • The future of SMMP
    • Key trends in SMMP

    Processes Optimized

    • Requirements gathering
    • Requests for proposal (RFPs) and contract reviews
    • SMMP vendor selection
    • SMMP implementation

    SMMP Vendors Analyzed

    • Sprout Social
    • HubSpot
    • Zoho Social
    • Khoros
    • Agorapulse
    • Hootsuite
    • Sprinklr
    • MavSocial
    • Sendible
    • Buffer

    Related Info-Tech Research

    Select and Implement a Social Media Management Platform

    • SMMPs reduce complexity and increase the results of enterprise social media initiatives.

    Social Media

    • The Social Media workshop provides clear, measurable improvements to your social media strategy.

    Improve Requirements Gathering

    • An improvement in requirements analysis will strengthen the relationship between business and IT, as more and more applications satisfy stakeholder needs. More importantly, the applications delivered by IT will meet all the must-have and at least some of the nice-to-have requirements, allowing end users to successfully execute their day-to-day responsibilities.

    Bibliography

    "30+ Influencer Marketing Statistics You Should Know (2022)." Shopify, www.shopify.com/blog/influencer-marketing-statistics.
    "A Brief History of Hootsuite." BrainStation®, 2015, https://brainstation.io/magazine/a-brief-history-of-hootsuite#:~:text=In%202008%2C%20Vancouver%2Dbased%20digital,accounts%20from%20a%20single%20interface.&text=In%202009%2C%20BrightKit's%20name%20changed,a%20capital%20%E2%80%9CS%E2%80%9D).
    "About Us." Sprout Social, https://sproutsocial.com/about/#history
    "About Zoho - Our Story, List of Products." Zoho, www.zoho.com/aboutus.html.
    Adam Rowe, et al. "Sprout Social vs Hootsuite - Which Is Best?: Tech.co 2022." Tech.co, 15 Nov. 2022, https://tech.co/digital-marketing/sprout-social-vs-hootsuite
    "Agorapulse Customer Story: Twilio Segment." Segment, https://segment.com/customers/agorapulse/
    "Agorapulse - Funding, Financials, Valuation & Investors." Crunchbase, www.crunchbase.com/organization/agorapulse/company_financials.
    "Agorapulse Release Notes." Agorapulse Release Notes, https://agorapulse.releasenotes.io/
    "Buffer - Funding, Financials, Valuation & Investors." Crunchbase, www.crunchbase.com/organization/buffer/company_financials.
    Burton, Shannon. "5 Genius Social Commerce Examples You Can Learn From." Sprout Social, 28 Oct. 2021, https://sproutsocial.com/insights/social-commerce-examples/ .
    Chris Gillespie. "How Long Should a Video Be." Vidyard, 17 May 2022, www.vidyard.com/blog/video-length/.
    "Consumers Continue to Seek Influencers Who Keep It Real." Matter Communications, 22 Feb 2023. https://www.matternow.com/blog/consumers-seek-influencers-who-keep-it-real/
    "Contact Center, Communities, & Social Media Software." Khoros, https://khoros.com/about.
    Fennell, Kylie, et al. "Blog." MavSocial, https://mavsocial.com/blog/.
    Fuchs, Jay. "24 Stats That Prove Why You Need a Crisis Management Strategy in 2022." HubSpot Blog, HubSpot, 16 Mar. 2022, https://blog.hubspot.com/service/crisis-management-stats
    Geyser, Werner. "Key Social Commerce Statistics You Should Know in 2022." Influencer Marketing Hub, http://influencermarketinghub.com/social-commerce-stats/
    "Global Crisis Survey 2021: Building resilience for the next normal." PwC, 2021. https://www.pwc.com/ia/es/prensa/pdfs/Global-Crisis-Survey-FINAL-March-18.pdf
    "Global Influencer Marketing Value 2016-2022." Statista, 6 Jan 2023, www.statista.com/statistics/1092819/global-influencer-market-size/.
    "Key Social Commerce Statistics You Should Know in 2023." Influencer Marketing Hub, December 29, 2022. https://influencermarketinghub.com/social-commerce-stats/
    "Khoros - Funding, Financials, Valuation & Investors." Crunchbase, www.crunchbase.com/organization/spredfast/company_financials.
    Lin, Ying. "Social Commerce Market Size (2020–2026) ", Oberlo, Oberlo, www.oberlo.com/statistics/social-commerce-market-size#:~:text=Social%20commerce%20statistics%20show%20that,fastest%20and%20slowest%20growth%20rates.
    Mediakix, "5 Influencer Marketing Case Studies." HubSpot, n.d. https://cdn2.hubspot.net/hubfs/505330/Influencer-Marketing-5-Case-Studies-Ebook.pdf.
    "Our Story: HubSpot - Internet Marketing Company." HubSpot, www.hubspot.com/our-story .
    PricewaterhouseCoopers. "69% Of Business Leaders Have Experienced a Corporate Crisis in the Last Five Years Yet 29% of Companies Have No Staff Dedicated to Crisis Preparedness." PwC, 2019. www.pwc.com/gx/en/news-room/press-releases/2019/global-crisis-survey.html.
    Ferris, Robert. "Duke Player Zion Williamson Injured When Nike Shoe Blows Apart during Game." CNBC, CNBC, 21 Feb. 2019, www.cnbc.com/2019/02/21/duke-player-zion-williamson-injured-when-nike-shoe-blows-apart-in-game.html.
    "Social Engagement & Sales Platform." Sprinklr, www.sprinklr.com/social-engagement/.
    "Social Media Analytics & Reporting for Growing Brands." Buffer, https://buffer.com/analyze
    "Social Media Management and Advertising Tool." MavSocial, 30 July 2022, https://mavsocial.com/
    "Social Media Management Software." HubSpot, www.hubspot.com/products/marketing/social-inbox.
    "Social Media Management Software - Zoho Social." Zoho, www.zoho.com/social/
    "Social Media Management Tool for Agencies & Brands." Sendible, www.sendible.com/.
    "Social Media Management Tools." Sprout Social, 6 Sept. 2022, https://sproutsocial.com/social-media-management/
    "Social Media Marketing & Management Platform For Enterprises." Khoros, khoros.com/platform/social-media-management.
    "Social Media Monitoring Tool." Agorapulse, www.agorapulse.com/features/social-media-monitoring/.
    "Top 12 Moments in SPRINKLR's History." Sprinklr, www.sprinklr.com/blog/12-moments-sprinklr-history/.
    Twitter, BestBuy, https://twitter.com/BestBuyCanada
    "The Ultimate Guide to Hootsuite." Backlinko, 10 Oct. 2022, https://backlinko.com/hub/content/hootsuite
    Widrich, Leo. "From 0 to 1,000,000 Users: The Journey and Statistics of Buffer." Buffer Resources, Buffer Resources, 8 Dec. 2022, buffer.com/resources/from-0-to-1000000-users-the-journey-and-statistics-of-buffer/.
    Yeung, Carmen. "Social Media Crisis Management 3 Examples Done Right." Synthesio, 19 Nov. 2021, www.synthesio.com/blog/social-media-crisis-management/.

    Streamline Your Workforce During a Pandemic

    • Buy Link or Shortcode: {j2store}515|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Lead
    • Parent Category Link: /lead

    Reduced infection rates in compromised areas are providing hope that these difficult times will pass. However, organizations are facing harsh realities in real time. With significant reductions in revenue, employers are facing pressure to quickly implement cost-cutting strategies, resulting in mass layoffs of valuable employees.

    Our Advice

    Critical Insight

    Employees are an organization’s greatest asset. When faced with cost-cutting pressures, look for redeployment opportunities that use talent as a resource to get through hard times before resorting to difficult layoff decisions.

    Impact and Result

    Make the most of your workforce in this unprecedented situation by following McLean & Company’s process to initiate redeployment efforts and reduce costs. If all else fails, follow our guidance on planning for layoffs and considerations when doing so.

    Streamline Your Workforce During a Pandemic Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Meet with leadership

    Set a strategy with senior leadership, brainstorm underused and understaffed employee segments and departments, then determine an approach to redeployments and layoffs.

    • Streamline Your Workforce During a Pandemic Storyboard
    • Redeployment and Layoff Strategy Workbook

    2. Plan individual and department redeployment

    Collect key information, prepare and redeploy, and roll up information across the organization.

    • Short-Term Survival Segment Evaluation Tool
    • Skills Inventory for Redeployment Tool
    • Redeployment Action and Communication Plan
    • Crisis Communication Guide for HR
    • Crisis Communication Guide for Leaders
    • Leadership Crisis Communication Guide Template
    • 3i's of Engaging Management – Manager Guide
    • Feedback and Coaching Guide for Managers
    • Redeployment Communication Roll-up Template

    3. Plan individual and department layoffs

    Plan for layoffs, execute on the layoff plan, and communicate to employees.

    • Employee Departure Checklist Tool
    • 10 Communication Best Practices in the Face of Crisis
    • Termination Logistics Tool
    • Termination Costing Tool
    • COVID-19: Employee-Facing Frequently Asked Questions Template
    • COVID-19: Employee-Facing Frequently Asked Questions
    • Standard Internal Communications Plan

    4. Monitor and manage departmental effectiveness

    Monitor departmental performance, review organizational performance, and determine next steps.

    • HR Metrics Library
    • Standard HR Scorecard
    [infographic]

    CIO Priorities 2023

    • Buy Link or Shortcode: {j2store}84|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $10,000 Average $ Saved
    • member rating average days saved: 9 Average Days Saved
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy

    CIOs are facing these challenges in 2023:

    • Trying to understand the implications of external trends.
    • Determining what capabilities are most important to support the organization.
    • Understanding how to help the organization pursue new opportunities.
    • Preparing to mitigate new sources of organizational risk.

    Our Advice

    Critical Insight

    • While functional leaders may only see their next move, as head of the organization with a complete view of all the pieces, the CIO has full context awareness. It's up to them to assess their gaps, consider the present scenario, and then make their next move.
    • Each priority carries new opportunities for organizations that pursue them.
    • There are also different risks to mitigate as each priority is explored.

    Impact and Result

    • Inform your IT strategy for the year ahead.
    • Identify which capabilities you need to improve.
    • Add initiatives that support your priorities to your roadmap.

    CIO Priorities 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. CIO Priorities 2023 Report – Read about the priorities on IT leaders' agenda.

    Understand the five priorities that will help navigate the opportunities and risks of the year ahead.

    • CIO Priorities 2023 Report

    Infographic

     

    Further reading

    CIO Priorities 2023

    Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

    Analyst Perspective

    Take a full view of the board and use all your pieces to win.

    In our Tech Trends 2023 report, we called on CIOs to think of themselves as chess grandmasters. To view strategy as playing both sides of the board, simultaneously attacking the opponent's king while defending your own. In our CIO Priorities 2023 report, we'll continue with that metaphor as we reflect on IT's capability to respond to trends.

    If the trends report is a study of the board state that CIOs are playing with, the priorities report is about what move they should make next. We must consider all the pieces we have at our disposal and determine which ones we can afford to use to seize on opportunity. Other pieces are best used by staying put to defend their position.

    In examining the different capabilities that CIOs will require to succeed in the year ahead, it's apparent that a siloed view of IT isn't going to work. Just like a chess player in a competitive match would never limit themselves to only using their knights or their rooks, a CIO's responsibility is to deploy each of their pieces to win the day. While functional leaders may only see their next move, as head of the organization with a complete view of all the pieces, the CIO has full awareness of the board state.

    It's up to them to assess their gaps, consider the present scenario, and then make their next move.

    This is a picture of Brian Jackson

    Brian Jackson
    Principal Research Director, Research – CIO
    Info-Tech Research Group

    CIO Priorities 2023 is informed by Info-Tech's primary research data of surveys and benchmarks

    Info-Tech's Tech Trends 2023 report and State of Hybrid Work in IT: A Trend Report inform the externalities faced by organizations in the year ahead. They imply opportunities and risks that organizations face. Leadership must determine if they will respond and how to do so. CIOs then determine how to support those responses by creating or improving their IT capabilities. The priorities are the initiatives that will deliver the most value across the capabilities that are most in demand. The CIO Priorities 2023 report draws on data from several different Info-Tech surveys and diagnostic benchmarks.

    2023 Tech Trends and Priorities Survey; N=813 (partial), n=521 (completed)
    Info-Tech's Trends and Priorities 2023 Survey was conducted between August 9 and September 9, 2022. We received 813 total responses with 521 completed surveys. More than 90% of respondents work in IT departments. More than 84% of respondents are at a manager level of seniority or higher.

    2023 The State of Hybrid Work in IT Survey; N=518
    The State of Hybrid Work in IT Survey was conducted between July 11 and July 29 and received 518 responses. Nine in ten respondents were at a manager level of seniority or higher.

    Every organization will have its own custom list of priorities based on its internal context. Organizational goals, IT maturity level, and effectiveness of capabilities are some of the important factors to consider. To provide CIOs with a starting point for their list of priorities for 2023, we used aggregate data collected in our diagnostic benchmark tools between August 1, 2021, and October 31, 2022.

    Info-Tech's CEO-CIO Alignment Program is intended to be completed by CIOs and their supervisors (CEO or other executive position [CxO]) and will provide the average maturity level and budget expectations (N=107). The IT Management and Governance Diagnostic will provide the average capability effectiveness and importance ranking to CIOs (N=271). The CIO Business Vision Diagnostic will provide stakeholder satisfaction feedback (N=259).

    The 2023 CIO priorities are based on that data, internal collaboration sessions at Info-Tech, and external interviews with CIOs and subject matter experts.

    Build IT alignment

    Assess your IT processes

    Determine stakeholder satisfaction

    Most IT departments should aim to drive outcomes that deliver better efficiency and cost savings

    Slightly more than half of CIOs using Info-Tech's CEO-CIO Alignment Program rated themselves at a Support level of maturity in 2022. That aligns with IT professionals' view of their organizations from our Tech Trends and Priorities Survey, where organizations are rated at the Support level on average. At this level, IT departments can provide reliable infrastructure and support a responsive IT service desk that reasonably satisfies stakeholders.

    In the future, CIOs aspire to attain the Transform level of maturity. Nearly half of CIOs select this future state in our diagnostic, indicating a desire to deliver reliable innovation and lead the organization to become a technology-driven firm. However, we see that fewer CxOs aspire for that level of maturity from IT. CxOs are more likely than CIOs to say that IT should aim for the Optimize level of maturity. At this level, IT will help other departments become more efficient and lower costs across the organization.

    Whether a CIO is aiming for the top of the maturity scale in the future or not, IT maturity is achieved one step at a time. Aiming for outcomes at the Optimize level will be a realistic goal for most CIOs in 2023 and will satisfy many stakeholders.

    Current and future state of IT maturity

    This image depicts a table showing the Current and future states of IT maturity.

    Trends indicate a need to focus on leadership and change management

    Trends imply new opportunities and risks that an organization must decide on. Organizational leadership determines if action will be taken to respond to the new external context based on its importance compared to current internal context. To support their organizations, IT must use its capabilities to deliver on initiatives. But if a capability's effectiveness is poor, it could hamper the effort.

    To determine what capabilities IT departments may need to improve or create to support their organizations in 2023, we conducted an analysis of our trends data. Using the opportunities and risks implied by the Tech Trends 2023 report and the State of Hybrid Work in IT: A Trend Report, we've determined the top capabilities IT will need to respond. Capabilities are defined by Info-Tech's IT Management and Governance Framework.

    Tier 1: The Most Important Capabilities In 2023

    Enterprise Application Selection & Implementation

    Manage the selection and implementation of enterprise applications, off-the-shelf software, and software as a service to ensure that IT provides the business with the most appropriate applications at an acceptable cost.

    Effectiveness: 6.5; Importance: 8.8

    Leadership, Culture, and Values

    Ensure that the IT department reflects the values of your organization. Improve the leadership skills of your team to generate top performance.

    Effectiveness: 6.9; Importance: 9

    Data Architecture

    Manage the business' databases, including the technology, the governance processes, and the people that manage them. Establish the principles, policies, and guidelines relevant to the effective use of data within the organization.

    Effectiveness: 6.3; Importance: 8.8

    Organizational Change Management

    Implement or optimize the organization's capabilities for managing the impact of new business processes, new IT systems, and changes in organizational structure or culture.

    Effectiveness: 6.1; Importance: 8.8

    External Compliance

    Ensure that IT processes and IT-supported business processes are compliant with laws, regulations, and contractual requirements.

    Effectiveness: 7.4; Importance: 8.8

    Info-Tech's Management and Diagnostic Benchmark

    Tier 2: Other Important Capabilities In 2023

    Ten more capabilities surfaced as important compared to others but not as important as the capabilities in tier 1.

    Asset Management

    Track IT assets through their lifecycle to make sure that they deliver value at optimal cost, remain operational, and are accounted for and physically protected. Ensure that the assets are reliable and available as needed.

    Effectiveness: 6.4; Importance: 8.5

    Business Intelligence and Reporting

    Develop a set of capabilities, including people, processes, and technology, to enable the transformation of raw data into meaningful and useful information for the purpose of business analysis.

    Effectiveness: 6.3; Importance: 8.8

    Business Value

    Secure optimal value from IT-enabled initiatives, services, and assets by delivering cost-efficient solutions and services and by providing a reliable and accurate picture of costs and benefits.

    Effectiveness: 6.5; Importance: 8.7

    Cost and Budget Management

    Manage the IT-related financial activities and prioritize spending through the use of formal budgeting practices. Provide transparency and accountability for the cost and business value of IT solutions and services.

    Effectiveness: 6.5; Importance: 8.8

    Data Quality

    Put policies, processes, and capabilities in place to ensure that appropriate targets for data quality are set and achieved to match the needs of the business.

    Effectiveness: 6.4; Importance: 8.9

    Enterprise Architecture

    Establish a management practice to create and maintain a coherent set of principles, methods, and models that are used in the design and implementation of the enterprise's business processes, information systems, and infrastructure.

    Effectiveness: 6.8; Importance: 8.8

    IT Organizational Design

    Set up the structure of IT's people, processes, and technology as well as roles and responsibilities to ensure that it's best meeting the needs of the business.

    Effectiveness: 6.8; Importance: 8.8

    Performance Measurement

    Manage IT and process goals and metrics. Monitor and communicate that processes are performing against expectations and provide transparency for performance and conformance.

    Effectiveness: 6; Importance: 8.4

    Stakeholder Relations

    Manage the relationship between the business and IT to ensure that the stakeholders are satisfied with the services they need from IT and have visibility into IT processes.

    Effectiveness: 6.7; Importance: 9.2

    Vendor Management

    Manage IT-related services provided by all suppliers, including selecting suppliers, managing relationships and contracts, and reviewing and monitoring supplier performance.

    Effectiveness: 6.6; Importance: 8.4

    Defining the CIO Priorities for 2023

    Understand the CIO priorities by analyzing both how CIOs respond to trends in general and how a specific CIO responded in the context of their organization.

    This is an image of the four analyses: 1: Implications; 2: Opportunities and risks; 3: Case examples; 4: Priorities to action.

    The Five CIO Priorities for 2023

    Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

    1. Adjust IT operations to manage for inflation
      • Business Value
      • Vendor Management
      • Cost and Budget Management
    2. Prepare your data pipeline to train AI
      • Business Intelligence and Reporting
      • Data Quality
      • Data Architecture
    3. Go all in on zero-trust security
      • Asset Management
      • Stakeholder Relations
      • External Compliance
    4. Engage employees in the digital age
      • Leadership, Culture, and Values
      • Organizational Change Management
      • Enterprise Architecture
    5. Shape the IT organization to improve customer experience
      • Enterprise Application Selection & Implementation
      • Performance Measurement
      • IT Organizational Design

    Adjust IT operations to manage for inflation

    Priority 01

    • APO06 Cost and Budget Management
    • APo10 Vendor Management
    • EDM02 Business Value

    Recognize the relative impact of higher inflation on IT's spending power and adjust accordingly.

    Inflation takes a bite out of the budget

    Two-thirds of IT professionals are expecting their budgets to increase in 2023, according to our survey. But not every increase is keeping up with the pace of inflation. The International Monetary Fund forecasts that global inflation rose to 8.8% in 2022. It projects it will decline to 6.5% in 2023 and 4.1% by 2024 (IMF, 2022).

    CIOs must account for the impact of inflation on their IT budgets and realize that what looks like an increase on paper is effectively a flat budget or worse. Applied to our survey takers, an IT budget increase of more than 6.5% would be required to keep pace with inflation in 2023. Only 40% of survey takers are expecting that level of increase. For the 27% expecting an increase between 1-5%, they are facing an effective decrease in budget after the impact of inflation. Those expecting no change in budget or a decrease will be even worse off.

    Looking ahead to 2023, how do you anticipate your IT spending will change compared to spending in 2022?

    Global inflation estimates by year

    2022 8.8%
    2023 6.5%
    2024 4.1%

    International Monetary Fund, 2022

    CIOs are more optimistic about budgets than their supervisors

    Data from Info-Tech's CEO-CIO Alignment Diagnostic benchmark also shows that CIOs and their supervisors are planning for increases to the budget. This diagnostic is designed for a CIO to use with their direct supervisor, whether it's the CEO or otherwise (CxO). Results show that on average, CIOs are more optimistic than their supervisors that they will receive budget increases and headcount increases in the years ahead.

    While 14% of CxOs estimated the IT budget would see no change or a decrease in the next three to five years, only 3% of CIOs said the same. A larger discrepancy is seen in headcount, where nearly one-quarter of CXOs estimated no change or decrease in the years ahead, versus only 10% of CIOs estimating the same.

    When we account for the impact of inflation in 2023, this misalignment between CIOs and their supervisors increases. When adjusting for inflation, we need to view the responses projecting an increase of between 1-5% as an effective decrease. With the inflation adjustment, 26% of CXOs are predicting IT budgets to stay flat or see a decrease compared to only 10% of CIOs.

    CIOs should consider how inflation has affected their projected spending power over the past year and take into account projected inflation rates over the next couple of years. Given that the past decade has seen inflation rates between 2-3%, the higher rates projected will have more of an impact on organizational budgets than usual.

    Expect headcount to stay flat or decline over 3-5 years

    CIO: 10%; CXO: 24%

    IT budget expectations to stay flat or decrease before inflation

    CIO: 13.6 %; CXO: 3.2%

    IT budget expectations to stay flat or decrease adjusted for inflation

    CIO: 25.8%; CXO: 9.7%

    Info-Tech's CEO-CIO Alignment Program

    Opportunities

    Appoint a "cloud economist"

    Organizations that migrated from on-premises data centers to infrastructure as a service shifted their capital expenditures on server racks to operational expenditures on paying the monthly service bill. Managing that monthly bill so that it is in line with desired performance levels now becomes crucial. The expected benefit of the cloud is that an organization can turn the dial up to meet higher demand and turn it down when demand slows. In practice this is sometimes more difficult to execute than anticipated. Some IT departments realize their cloud-based data flows aren't always connected to the revenue-generating activity seen in the business. As a result, a "cloud economist" is needed to closely monitor cloud usage and adjust it to financial expectations. Especially during any recessionary period, IT departments will want to avoid a "bill shock" incident.

    Partner with technology providers

    Keep your friends close and your vendors closer. Look for opportunities to create leverage with your strategic vendors to unlock new opportunities. Identify if a vendor you work with is not entrenched in your industry and offer them the credibility of working with you in exchange for a favorable contract. Offering up your logo for a website listing clients or giving your own time to speak in a customer session at a conference can go a long way to building up some goodwill with your vendors. That's goodwill you'll need when you ask for a new multi-year contract on your software license without annual increases built into the structure.

    Demonstrate IT projects improve efficiency

    An IT department that operates at the Optimize level of Info-Tech's maturity scale can deliver outcomes that lower costs for other departments. IT can defend its own budget if it's able to demonstrate that its initiatives will automate or augment business activities in a way that improves margins. The argument becomes even more compelling if IT can demonstrate it is supporting a revenue-generating initiative or customer-facing experience. CIOs will need to find business champions to vouch for the important contributions IT is making to their area.

    Risks

    Imposition of non-financial reporting requirements

    In some jurisdictions, the largest companies will be required to start collecting information on carbon emissions emitted as a result of business activities by the end of next year. Smaller sized organizations will be next on the list to determine how to meet new requirements issued by various regulators. Risks of failure include facing fines or being shunned by investors. CIOs will need to support their financial reporting teams in collecting the new required data accurately. This will incur new costs as well.

    Rising asset costs

    Acquiring IT equipment is becoming more expensive due to overall inflation and specific pressures around semiconductor supply chains. As a result, more CIOs are extending their device refresh policies to last another year or two. Still, demands for new devices to support new hybrid work models could put pressure on budgets as IT teams are asked to modernize conferencing rooms. For organizations adopting mixed reality headsets, cutting-edge capabilities will come at a premium. Operating costs of devices may also increase as inflation increases costs of the electricity and bandwidth they depend on.

    CASE STUDY
    Leverage your influence in vendor negotiations

    Denise Cornish, Associate VP of IT and Deputy COO,
    Western University of Health Sciences

    Since taking on the lead IT role at Western University in 2020, Denise Cornish has approached vendor management like an auditable activity. She evaluates the value she gets from each vendor relationship and creates a list of critical vendors that she relies upon to deliver core business services. "The trick is to send a message to the vendor that they also need us as a customer that's willing to act as a reference," she says. Cornish has managed to renegotiate a contract with her ERP vendor, locking in a multi-year contract with a very small escalator in exchange for presenting as a customer at conferences. She's also working with them on developing a new integration to another piece of software popular in the education space.

    Western University even negotiated a partnership approach with Apple for a program run with its College of Osteopathic Medicine of the Pacific (COMP) called the Digital Doctor Bag. The partnership saw Apple agree to pre-package a customer application developed by Western that delivered the curriculum to students and facilitated communications across students and faculty. Apple recognized Western as an Apple Distinguished School, a program that recognizes innovative schools that use Apple products.

    "I like when negotiations are difficult.
    I don't necessarily expect a zero-sum game. We each need to get something out of this and having the conversation and really digging into what's in it for you and what's in it for me, I enjoy that. So usually when I negotiate a vendor contract, it's rare that it doesn't work out."

    CASE STUDY
    Control cloud costs with a simplified approach

    Jim Love, CIO, IT World Canada

    As an online publisher and a digital marketing platform for technology products and services companies, IT World Canada (ITWC) has observed that there are differences in how small and large companies adopt the cloud as their computing infrastructure. For smaller companies, even though adoption is accelerating, there may still be some reluctance to fully embrace cloud platforms and services. While larger companies often have a multi-cloud approach, this might not be practical for smaller IT shops that may struggle to master the skills necessary to effectively manage one cloud platform. While Love acknowledges that the cloud is the future of corporate computing, he also notes that not all applications or workloads may be well suited to run in the cloud. As well, moving data into the cloud is cheap but moving it back out can be more expensive. That is why it is critical to understand your applications and the data you're working with to control costs and have a successful cloud implementation.

    "Standardization is the friend of IT. So, if you can standardize on one platform, you're going to do better in terms of costs."

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Cost and Budget Management

    Take control of your cloud costs by providing central financial oversight on the infrastructure-as-a-service provider your organization uses. Create visibility into your operational costs and define policies to control them. Right-size the use of cloud services to stay within organizational budget expectations.

    Take Control of Cloud Costs on AWS

    Take Control of Cloud Costs on Microsoft Azure

    Improve Business Value

    Reduce the funds allocated to ongoing support and impose tougher discipline around change requests to lighten your maintenance burden and make room for investment in net-new initiatives to support the business.

    Free up funds for new initiatives

    Improve Vendor Management

    Lay the foundation for a vendor management process with long-term benefits. Position yourself as a valuable client with your strategic vendors and leverage your position to improve your contract terms.

    Elevate Your Vendor Management Initiative

    Prepare your data pipeline to train AI

    Priority 02

    • ITRG06 BUSINESS INTELLIGENCE AND REPORTING
    • ITRG07 DATA ARCHITECTURE
    • ITRG08 DATA QUALITY

    Keep pace as the market adopts AI capabilities, and be ready to create competitive advantage.

    Today's innovation is tomorrow's expectation

    During 2022, some compelling examples of generative-AI-based products took the world by storm. Images from AI-generating bots Midjourney and Stable Diffusion went viral, flooding social media and artistic communities with images generated from text prompts. Exchanges with OpenAI's ChatGPT bot also caught attention, as the bot was able to do everything from write poetry, to provide directions on a cooking recipe and then create a shopping list for it, to generate working code in a variety of languages. The foundation models are trained with AI techniques that include generative adversarial networks, transformers, and variational autoencoders. The end result is an algorithm that can produce content that's meaningful to people based on some simple direction. The industry is only beginning to come to grips with how this sort of capability will disrupt the enterprise.

    Slightly more than one-third of IT professionals say their organization has already invested in AI or machine learning. It's the sixth-most popular technology to have already invested in after cloud computing (82%), application programming interfaces (64%), workforce management solutions (44%), data lakes (36%), and next-gen cybersecurity (36%). It's ahead of 12 other technologies that IT is already invested in.

    When we asked what technologies organizations planned to invest in for next year, AI rocketed up the list to second place, as it's selected by 44% of IT professionals. It falls behind only cloud computing. This jump up the list makes AI the fastest growing technology for new investment from organizations.

    Many AI capabilities seem cutting edge now, but organizations are prioritizing it as a technology investment. In a couple of years, access to foundational models that produce images, text, or code will become easy to access with a commercial license and an API integration. AI will become embedded in off-the-shelf software and drive many new features that will quickly become commonplace.

    To stay even with the competition and meet customer expectations, organizations will have to work to at least adopt these AI-enhanced products and services. For those that want to create a competitive advantage, they will have to build a data pipeline that is capable of training their own custom AI models based on their unique data sets.

    Which of the following technology categories has your organization already invested in?

    A bar graph is depicted the percentage of organizations which already had invested in the following Categories: Cloud Computing; Application Programming; Next-Gen Cybersecurity; Workforce Management Solutions; Data Lake/Lakehouse; Artificial Intelligence or Machine Learning.

    Which of those same technologies does your organization plan to invest in by the end of 2023?

    A bar graph is depicted the percentage of organizations which plan to invest in the following categories by the end of 2023: No-Code / Low-Code Platforms; Next-Gen Cybersecurity; Application Programming Interfaces (APIs); Data Lake / Lakehouse; Artificial Intelligence (AI) or Machine Learning; Cloud Computing

    Tech Trends 2023 Survey

    Data quality and governance will be critical to customize generative AI

    Data collection and analysis are on the minds of both CIOs and their supervisors. When asked what technologies the business should adopt in the next three to five years, big data (analytics) ranked as most critical to adopt among CIOs and their supervisors. Big data (collection) ranked fourth out of 11 options.

    Organizations that want to drive a competitive advantage from generative AI will need to train these large, versatile models on their own data sets. But at the same time, IT organizations are struggling to provide clean data. The second-most critical gap for IT organizations on average is data quality, behind only organizational change management. Organizations know that data quality is important to support analytics goals, as algorithms can suffer in their integrity if they don't have reliable data to work with. As they say, garbage in, garbage out.

    Another challenge to overcome is the gap seen in IT governance, the sixth largest gap on average. Using data toward training custom generative models will hold new compliance and ethical implications for IT departments to contend with. How user data can be leveraged is already the subject of privacy legislation in many different jurisdictions, and new AI legislation is being developed in various places around the world that could create further demands. In some cases, users are reacting negatively to AI-generated content.

    Biggest capability gaps between rated importance and effectiveness

    This is a Bar graph showing the capability gaps between rated importance and effectiveness.

    IT Management and Governance Diagnostic

    Most critical technologies to adopt rated by CIOs and their supervisors

    This is a Bar graph showing the most critical technologies to adopt as rated by CIO's and their supervisors

    CEO-CIO Alignment Program

    Opportunities

    Enterprise content discovery

    Many organizations still cobble together knowledgebases in SharePoint or some other shared corporate drive, full of resources that no one quite knows how to find. A generative AI chatbot holds potential to be trained on an organization's content and produce content based on an employee's queries. Trained properly, it could point employees to the right resource they need to answer their question or just provide the answer directly.

    Supply chain forecasts

    After Hurricane Ian shut down a Walmart distribution hub, the retailer used AI to simulate the effects on its supply chain. It rerouted deliveries from other hubs based on the predictions and planned for how to respond to demand for goods and services after the storm. Such forecasts would typically take a team of analysts days to compose, but thanks to AI, Walmart had it done in a matter of hours (The Economist, 2022).

    Reduce the costs of AI projects

    New generative AI models of sufficient scale offer advantages over previous AI models in their versatility. Just as ChatGPT can write poetry or dialogue for a play or perhaps a section of a research report (not this one, this human author promises), large models can be deployed for multiple use cases in the enterprise. One AI researcher says this could reduce the costs of an AI project by 20-30% (The Economist, 2022).

    Risks

    Impending AI regulation

    Multiple jurisdictions around the world are pursuing new legislation that imposes requirements on organizations that use AI, including the US, Europe, and Canada. Some uses of AI will be banned outright, such as the real-time use of facial recognition in public spaces, while in other situations people can opt out of using AI and work with a human instead. Regulations will take the risk of the possible outcomes created by AI into consideration, and organizations will often be required to disclose when and how AI is used to reach decisions (Science | Business, 2022). Questions around whether creators can prevent their content from being used for training AI are being raised, with some efforts already underway to collect a list of those who want to opt out. Organizations that adopt a generative AI model today may find it needs to be amended for copyright reasons in the future.

    Bias in the algorithms

    Organizations using a large AI model trained by a third party to complete their tasks or as a foundation to further customize it with their own data will have to contend with the inherent bias of the algorithm. This can lead to unintended negative experiences for users, as it did for MIT Technology Review journalist Melissa Heikkilä when she uploaded her images to AI avatar app Lensa, only to have it render a collection of sexualized portraits. Heikkilä contends that her Asian heritage overly influenced the algorithm to associate her with video-game characters, anime, and adult content (MIT Technology Review, 2022).

    Convincing nonsense

    Many of the generative AI bots released so far often create very good responses to user queries but sometimes create nonsense that at first glance might seem to be accurate. One example is Meta's Galactica bot – intended to streamline scientific research discovery and aid in text generation – which was taken down only three days after being made available. Scientists found that it generated fake research that sounded convincing or failed to do math correctly (Spiceworks, 2022).

    CASE STUDY
    How MLSE enhances the Toronto Raptors' competitiveness with data-driven practices

    Christian Magsisi, Vice President of Venue and Digital Technology, MLSE

    At the Toronto Raptors practice facility, the OVO Athletic Centre, a new 120-foot custom LG video screen towers over the court. The video board is used to playback game clips so coaches can use them to teach players, but it also displays analytics from algorithmic models that are custom-made for each player. Data on shot-making or defensive deflections are just a couple examples of what might inform the players.

    Vice President of Digital Technology Christian Magsisi leads a functional Digital Labs technical group at MLSE. The in-house team builds the specific data models that support the Raptors in their ongoing efforts to improve. The analytics are fed by Noah Analytics, which uses cognitive vision to provide real-time feedback on shot accuracy. SportsVU is a motion capture system that represents how players are positioned on the court, with detail down to which way they are facing and whether their arms are up or down. The third-party vendors provide the solutions to generate the analytics, but it's up to MLSE's internal team to shape them to be actionable for players during a practice.

    "All the way from making sure that a specific player is achieving the results that they're looking for and showing that through data, or finding opportunities for the coaching staff. This is the manifestation of it in real life. Our ultimate goal with the coaches was to be able to take what was on emails or in a report and sometimes even in text message and actually implement it into practice."

    Read the full story on Spiceworks Insights.

    How MLSE enhances the Toronto Raptors' competitiveness with data-driven practices (cont.)

    Humza Teherany, Chief Technology Officer, MLSE

    MLSE's Digital Labs team architects its data insights pipeline on top of cloud services. Amazon Web Services Rekognition provides cognitive vision analysis from video and Amazon Kinesis provides the video processing capabilities. Beyond the court, MLSE uses data to enhance the fan experience, explains CTO Humza Teherany. It begins with having meaningful business goals about where technology can provide the most value. He starts by engaging the leadership of the organization and considering the "art of the possible" when it comes to using technology to unlock their goals.

    Humza Teherany (left) and Christian Magsisi lead MLSE's digital efforts for the pro sports teams owned by the group, including the Toronto Raptors, Toronto Maple Leafs, and Toronto Argonauts. (Photo by Brian Jackson).

    Read the full story on Spiceworks Insights.

    "Our first goal in the entire buildup of the Digital Labs organization has been to support MLSE and all of our teams. We like to do things first. We leverage our own technology to make things better for our fans and for our teams to complete and find incremental advantages where possible."
    Humza Teherany,
    Chief Technology Officer, MLSE

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Data Quality

    The performance of AI-assisted tools depends on mature IT operations processes and reliable data sets. Standardize service management processes and build a knowledgebase of structured content to prepare for AI-assisted IT operations.

    Prepare for Cognitive Service Management

    Improve Business Intelligence and Reporting

    Explore the enterprise chatbots that are available to not only assist with customer interactions but also help your employees find the resources they need to do their jobs and retrieve data in real time.

    Explore the best chatbots software

    Improve Data Architecture

    Understand if you are ready to embark on the AI journey and what business use cases are appropriate for AI. Plan around the organization's maturity in people, tools, and operations for delivering the correct data, model development, and model deployment and managing the models in the operational areas.

    Create an Architecture for AI

    Go all in on zero-trust security

    Priority 03

    • BAI09 ASSET MANAGEMENT
    • APO08 STAKEHOLDER RELATIONS
    • MEA03 EXTERNAL COMPLIANCE

    Adopt zero-trust architecture as the new security paradigm across your IT stack and from an organizational risk management perspective.

    Putting faith in zero trust

    The push toward a zero-trust security framework is becoming necessary for organizations for several different reasons over the past couple of years. As the pandemic forced workers away from offices and into their homes, perimeter-based approaches to security were challenged by much wider network footprints and the need to identify users external to the firewall. Supply-chain security became more of a concern with notable attacks affecting many thousands of firms, some with severe consequences. Finally, the regulatory pressure to implement zero trust is rising following President Joe Biden's 2021 Executive Order on Improving the Nation's Cybersecurity. It directs federal agencies to implement zero trust. That will impact any company doing business with the federal government, and it's likely that zero trust will propagate through other government agencies in the years ahead. Zero-trust architecture can also help maintain compliance around privacy-focused regulations concerned about personal data (CSO Online, 2022).

    IT professionals are modestly confident that they can meet new government legislation regarding cybersecurity requirements. When asked to rank their confidence on a scale of one to five, the most common answer was 3 out of 5 (38.5%). The next most common answer was 4 out of 5 (33.3%).

    Zero-trust barriers:
    Talent shortage and lack of leadership involvement

    Out of a list of challenges, IT professionals are most concerned with talent shortages leading to capacity constraints in cybersecurity. Fifty-four per cent say they are concerned or very concerned with this issue. Implementing a new zero-trust framework for security will be difficult if capacity only allows for security teams to respond to incidents.

    The next most pressing concern is that cyber risks are not on the radar of executive leaders or the board of directors, with 46% of IT pros saying they are concerned or very concerned. Since zero-trust requires that organizations take an enterprise risk management approach to cybersecurity and involve top decision makers, this reveals another area where organizations may fall short of achieving a zero-trust environment.

    How confident are you that your organization is prepared to meet current and future government legislation regarding cybersecurity requirements? A circle graph is shown with 68.6% colored dark green, and the words: AVG 3.43 written inside the graph.
    a bar graph showing the confidence % for numbers 1-5
    54%

    of IT professionals are concerned with talent shortages leading to capacity constraints in cybersecurity.

    46%

    of IT professionals are concerned that cyber risks are not on the radar of executive leaders or the board of directors.

    Zero trust mitigates risk while removing friction

    A zero-trust approach to security requires organizations to view cybersecurity risk as part of its overall risk framework. Both CIOs and their supervisors agree that IT-related risks are a pain point. When asked to rate the severity of pain points, 58% of CIOs rated IT-related business risk incidents as a minor pain or major pain. Their supervisors were more concerned, with 61% rating it similarly. Enterprises can mitigate this pain point by involving top levels of leadership in cybersecurity planning.

    Organizations can be wary about implementing new security measures out of concern it will put barriers between employees and what they need to work. Through a zero-trust approach that focuses on identity verification, friction can be avoided. Overall, IT organizations did well to provide security without friction for stakeholders over the past 18 months. Results from Info-Tech's CIO Business Vision Diagnostic shows that stakeholders almost all agree friction due to security practices are acceptable. The one area that stands to be improved is remote/mobile device access, where 78.3% of stakeholders view the friction as acceptable.

    A zero-trust approach treats user identity the same regardless of device and whether it is inside or outside of the corporate network. This can remove friction when workers are looking to connect remotely from a mobile device.

    IT-related business risk incidents viewed as a pain point

    CXO 61%
    CIO 58%

    Business stakeholders rate security friction levels as acceptable

    A bar graph is depicted with the following dataset: Regulatory Compliance: 93.80%; Office/Desktop Computing:	86.50%;Data Access/Integrity: 86.10%; Remote/Mobile Device Access:	78.30%;

    CIO Business Vision Diagnostic, N=259

    Opportunities

    Move to identity-driven access control

    Today's approach to access control on the network is to allow every device to exchange data with every other device. User endpoints and servers talk to each other directly without any central governance. In a zero-trust environment, a centralized zero-trust network access broker provides one-to-one connectivity. This allows servers to rest offline until needed by a user with the right access permissions. Users verify their identity more often as they move throughout the network. The user can access the resources and data they need with minimal friction while protecting servers from unauthorized access. Log files are generated for analysis to raise alerts about when an authorized identity has been compromised.

    Protect data with just-in-time authentication

    Many organizations put process in place to make sure data at rest is encrypted, but often when users copy that data to their own devices, it becomes unencrypted, allowing attackers opportunities to exfiltrate sensitive data from user endpoints. Moving to a zero-trust environment where each data access is brokered by a central broker allows for encryption to be preserved. Parties accessing a document must exchange keys to gain access, locking out unauthorized users that don't have both sets of keys to decrypt the data (MIT Lincoln Laboratory, 2022).

    Harness free and open-source tools to deploy zero trust

    IT teams may not be seeing a budget infusion to invest in a new approach to security. By making use of the many free and open-source tools available, they can bootstrap their strategy into reality. Here's a list to get started:

    PingCastle Wrangle your Active Directory and find all the domains that you've long since forgotten about and manage the situation appropriately. Also builds a spoke-and-hub map of your Active Directory.

    OpenZiti Create an overlay network to enable programmable networking that supports zero trust.

    Snyk Developers can automatically find and fix vulnerabilities before they commit their code. This vendor offers a free tier but users that scale up will need to pay.

    sigstore Open-source users and maintainers can use this solution to verify the code they are running is the code the developer intended. Works by stitching together free services to facilitate software signing, verify against a transparent ledger, and provide auditable logs.

    Microsoft's SBOM generation tool A software bill of materials is a requirement in President Biden's Executive Order, intended to provide organizations with more transparency into their software components by providing a comprehensive list. Microsoft's tool will work with Windows, Linux, and Mac and auto-detect a longlist of software components, and it generates a list organized into four sections that will help organizations comprehend their software footprint.

    Risks

    Organizational culture change to accommodate zero trust

    Zero trust requires that top decision makers get involved in cybersecurity by treating it as an equal consideration of overall enterprise risk. Not all boards will have the cybersecurity expertise required, and some executives may not prioritize cybersecurity despite the warnings. Organizations that don't appoint a chief information security officer (CISO) role to drive the cybersecurity agenda from the top will be at risk of cybersecurity remaining an afterthought.

    Talent shortage

    No matter what industry you're in or what type of organization you run, you need cybersecurity. The demand for talent is very high and organizations are finding it difficult to hire in this area. Without the talent needed to mature cybersecurity approaches to a zero-trust model, the focus will remain on foundational principles of patch management to eliminate vulnerabilities and intrusion prevention. Smaller organizations may want to consider a "virtual CISO" that helps shape the organizational strategy on a part-time basis.

    Social engineering

    Many enterprise security postures remain vulnerable to an attack that commandeers an employee's identity to infiltrate the network. Hosted single sign-on models provide low friction and continuity of identity across applications but also offer a single point of failure that hackers can exploit. Phishing scams that are designed to trick an employee into providing their credentials to a fake website or to just click on a link that delivers a malware payload are the most common inroads that criminals take into the corporate network. Being aware of how user behavior influences security is crucial.

    CASE STUDY
    Engage the entire organization with cybersecurity awareness

    Serge Suponitskiy, CIO, Brosnan Risk Consultants

    Brosnan provides private security services to high-profile clients and is staffed by security experts with professional backgrounds in intelligence services and major law enforcement agencies. Safe to say that security is taken seriously in this culture and CIO Serge Suponitskiy makes sure that extends to all back-office staff that support the firm's activities. He's aware that people are often the weakest link in a cybersecurity posture and are prone to being fooled by a phishing email or even a fraudulent phone call. So cybersecurity training is an ongoing activity that takes many forms. He sends out a weekly cybersecurity bulletin that features a threat report and a story about the "scam of the week." He also uses KnowBe4, a tool that simulates phishing attacks and trains employees in security awareness. Suponitskiy advises reaching out to Marketing or HR for help with engaging employees and finding the right learning opportunities.

    "What is financially the best solution to protect yourself? It's to train your employees. … You can buy all of the tools and it's expensive. Some of the prices are going up for no reason. Some by 20%, some by 50%, it's ridiculous. So, the best way is to keep training, to keep educating, and to reimagine the training. It's not just sending this video that no one clicks on or posting a poster no one looks at. … Given the fact we're moving into this recession world, and everyone is questioning why we need to spend more, it's time to reimagine the training approach."

    CASE STUDY
    Focus on micro-segmentation as the foundation of zero trust

    David Senf, National Cybersecurity Strategist, Bell

    As a cybersecurity analyst and advisor that works with Bell's clients, David Senf sees zero-trust security as an opportunity for organizations to put a strong set of mitigating controls in place to defend against the thorny challenge of reducing vulnerabilities in their software supply chain. With major breaches being linked to widely used software in the past couple of years, security teams might find it effective to focus on a different layer of security to prevent certain breaches. With security policy being enforced at a narrow point/perimeter, attacks are in essence blocked from exploiting application vulnerabilities (e.g. you can't exploit what you can see). Organizations must still ensure there is a solid vulnerability management program in place, but surrounding applications with other controls is critical. One aspect of zero trust, micro-segmentation, which is an approach to network management, can limit the damage caused by a breach. The solutions help to map out and protect the different connections between applications that could otherwise be abused for discovery or lateral movement. Senf advises that knowing your inventory of software and the interdependencies between applications is the first step on a zero-trust journey, before putting protection and detection in place.

    "Next year will be a year of a lot more ZTNA, zero-trust network access, being deployed. So, I think that will give organizations more of an understanding of what zero trust is as well, from a really basic perspective. If I can just limit what applications you can see and no one can even see that application, it's undiscoverable because I've got that ZTNA solution in place. … I would see that as a leading area of deployment and coming to understand what zero trust is in 2023."

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Asset Management

    Enable reduced friction in the remote user experience by underpinning it with a hardware asset management program. Creating an inventory of devices and effectively tracking them will aid in maintaining compliance, result in stronger policy enforcement, and reduce the harm of a lost or stolen device.

    Implement Hardware Asset Management

    Improve Stakeholder Relations

    Communicate the transition from a perimeter-based security approach to an "Always Verify" approach with a clear roadmap toward implementation. Map key protect surfaces to business goals to demonstrate the importance of zero-trust security in helping the organization succeed. Help the organization's top leadership build awareness of cybersecurity risk.

    Build a Zero Trust Roadmap

    Improve External Compliance

    Manage the challenge of meeting new government requirements to implement zero-trust security and other data protection and cybersecurity regulations with a compliance program. Create a control environment that aligns multiple compliance regimes, and be prepared for IT audits.

    Build a Security Compliance Program

    Engage employees in the digital age

    Priority 04

    • ITRG02 LEADERSHIP, CULTURE, AND VALUES
    • BAI05 ORGANIZATIONAL CHANGE MANAGEMENT
    • APO03 ENTERPRISE ARCHITECTURE

    Lead a strong culture through digital means to succeed in engaging the hybrid workforce.

    The new deal for employers in a hybrid work world

    Necessity is the mother of innovation.

    The pandemic's disruption for non-essential workers looks to have a long-lasting, if not permanent, effect on the relationship between employer and employee. The new bargain for almost all organizations is a hybrid work reality, with employees splitting time between the office and working remotely, if not working remotely full-time. IT is in a unique position in the organization as it must not only contend with the shift to this new deal with its own employees but facilitate it for the entire organization.

    With 90% of organizations embracing some form of hybrid work, IT leaders have an opportunity to shift from coping with the new work reality to finding opportunities to improve productivity. Organizations that embrace a hybrid model for their IT departments see a more effective IT department. Organizations that offered no remote work for IT rated their IT effectiveness on average 6.2 out of 10, while organizations with at least 10% of IT roles in a hybrid model saw significantly higher effectiveness. At minimum, organizations with between 50%-70% of IT roles in a hybrid model rated their effectiveness at 6.9 out of 10.

    IT achieved this increase in effectiveness during a disruptive time that often saw IT take on a heavier burden. Remote work required IT to support more users and be involved in facilitating more work processes. Thriving through this challenging time is a win that's worth sharing with the rest of the organization.

    90% of organizations are embracing some form of hybrid work.

    IT's effectiveness compared to % working hybrid or remotely

    A bar graph is shown which compares the effectiveness of IT work with hybrid and full remote work, compared to No Remote Work for IT.

    High effectiveness doesn't mean high engagement

    Despite IT's success with hybrid work, CIOs are more concerned about their staff sufficiency, skill, and engagement than their supervisors. Among clients using our CEO-CIO Alignment Diagnostic, 49% of CIOs considered this issue a major pain point compared to only 32% of CXOs. While IT staff are more effective than ever, even while carrying more of a burden in the digital age, CIOs are still looking to improve staff engagement.

    Info-Tech's State of Hybrid Work Survey illuminates further details about where IT leaders are concerned for their employee engagement. About four in ten IT leaders say they are concerned for employee wellbeing, and almost the same amount say they are concerned they are not able to see signs that employees are demotivated (N=518).

    Boosting IT employees' engagement levels to match their effectiveness will require IT leaders to harness all the tools at their disposal. Communicating culture and effectively managing organizational change in the digital age is a real test of leadership.

    Staff sufficiency, skill, and engagement issues as a major pain point

    CXO 32%
    CIO 49%

    CEO-CIO Alignment Diagnostic

    Opportunities

    Drive effectiveness with a hybrid environment

    IT leaders concerned about the erosion of culture and connectedness due to hybrid work can mitigate those effects with increased and improved communication. Among highly effective IT departments, 55% of IT leaders made themselves highly available through instant messaging chat. Another 54% of highly effective leaders increased team meetings (State of Hybrid Work Survey, n=213). The ability to adapt to the team's needs and use a number of tactics to respond is the most important factor. The greater the number of tactics used to overcome communication barriers, the more effective the IT department (State of Hybrid Work Survey, N=518).

    Modernize the office conference room

    A hybrid work approach emphasizes the importance of not only the technology in the office conference room but the process around how meetings are conducted. Creating an equal footing for all participants regardless of how they join is the goal. In pursuit of that, 63% of organizations say they have made changes or upgrades to their conference room technology (n=496). The conferencing experience can influence employee engagement and work culture and enhance collaboration. IT should determine if the business case exists for upgrades and work to decrease the pain of using legacy solutions where possible (State of Hybrid Work in IT: A Trend Report).

    Understand the organizational value chain

    Map out the value chain from the customer perspective and then determine the organizational capabilities involved in delivering on that experience. It is a useful tool for helping IT staff understand how they're connected to the customer experience and organizational mission. It's crucial to identify opportunities to resolve pain points and create more efficiency throughout the organization.

    Risks

    Talent rejects the working model

    Many employees that experienced hybrid work over the past couple of years are finding it's a positive development for work/life balance and aren't interested in a full-time return to the office. Organizations that insist on returning all employees to the office all the time may find that employees choose to leave the organization. Similarly, it could be hard to hire IT talent in a competitive market if the position is required to be onsite every day. Most organizations are providing flexible options to employees and finding ways to manage work in the new digital age.

    Wasted expense on facilities

    Organizations may choose to keep their physical office only to later realize that no one is going to work there. While providing an office space can help foster positive culture through valuable face time, it has to be used intentionally. Managers should plan for specific days that their teams will meet in the office and make sure that work activities take advantage of everyone being in the same place at the same time. Asking everyone to come in so that they can be on a videoconference meeting in their cubicle isn't the point.

    Isolated employees and teams

    Studies on a remote work environment show it has an impact on how many connections each employee maintains within the company. Employees still interact well within their own teams but have fewer interactions across departments. Overall, workers are likely to collaborate just as often as they did when working in the office but with fewer other individuals at the company. Keep the isolating effect of remote work in mind and foster collaboration and networking opportunities across different departments (BBC News, 2022).

    CASE STUDY
    Equal support of in-office and remote work

    Roberto Eberhardt, CIO, Ontario Legislative Assembly

    Working in the legislature of the Ontario provincial government, CIO Roberto Eberhardt's staff went from a fully onsite model to a fully remote model at the outset of the pandemic. Today he's navigating his path to a hybrid model that's somewhere in the middle. His approach is to allow his business colleagues to determine the work model that's needed but to support a technology environment that allows employees to work from home or in the office equally. Every new process that's introduced must meet that paradigm, ensuring it will work in a hybrid environment. For his IT staff, he sees a culture of accountability and commitment to metrics to drive performance measurement as key to the success of this new reality.

    "While it's good in a way, the challenge for us is it became a little more complex because you have to account for all those things in the office environment and in the remote work approach. Everything you do now, you have to say OK well how is this going to work in this world and how will it work in the other world?"

    Creating purpose for IT through strategy

    Mike Russell, Virginia Community College System

    At the Virginia Community College System (VCCS), CIO Mike Russell's IT team supports an organization that governs and delivers services to all community colleges in the state. Russell sees his IT team's purpose as being driven by the organization's mission to ensure success throughout the entire student journey, from enrolment to becoming employed after graduation. That customer-focused mindset starts from the top-level leadership, the chancellor, and the state governor. The VCCS maintains a six-year business plan that informs IT's strategic plan and aligns IT with the mission, and both plans are living documents that get refreshed every two years. Updating the plans provides opportunities for the chancellor to engage the organization and remind everyone of the purpose of their work.

    "The outcome isn't the degree. The outcome we're trying to measure is the job. Did you get the job that you wanted? Whether it's being re-employed or first-time employment, did you get what you were after?"

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Leadership, Culture, and Values

    Help leaders manage their teams effectively in a hybrid environment by providing them with the right tools and tactics to manage the challenges of hybrid work. Focus on promoting teamwork and fostering connection.

    Prepare People Leaders for the Hybrid Work Environment

    Improve Organizational Change Management

    Assign accountability for managing the changes that the organization is experiencing in the digital age. Make a people-centric approach that takes human behavior into account and plans to address different needs in different ways. Be proactive about change.

    Master Organizational Change Management Practices

    Improve Enterprise Architecture

    Develop a foundation for aligning IT's activities with business value by creating a right-sized enterprise architecture approach that isn't heavy on bureaucracy. Drive IT's purpose by illustrating how their work contributes to the overall mission and the customer experience.

    Create a Right-Sized Enterprise Architecture Governance Framework

    Shape the IT organization to improve customer experience

    PRIORITY 05

    • BAI03 ENTERPRISE APPLICATION SELECTION & IMPLEMENTATION
    • MEA01 PERFORMANCE MEASUREMENT
    • ITRG01 IT ORGANIZATIONAL DESIGN

    Tightly align the IT organization with the organization's value chain from a customer perspective.

    IT's value is defined by faster, better, bigger

    The pandemic motivated organizations to accelerate their digital transformation efforts, digitalizing more of their tasks and organizing the company's value chain around satisfying the customer experience. Now we see organizations taking their foot off the gas pedal of digitalization and shifting their focus to extracting the value from their investments. They want to execute on the digital transformation in their operations and realize the vision they set out to achieve.

    In our Trends Report we compared the emphasis organizations are putting on digitalization to last year. Overall, we see that most organizations shifted fewer of their processes to digital in the past year.

    We also asked organizations what motivated their push toward automation. The most common drivers are to improve efficiency, with almost seven out of ten organizations looking to increase staff on high-level tasks by automating repetitive tasks, 67% also wanting to increase productivity without increasing headcount, and 59% wanting to reduce errors being made by people. In addition, more than half of organizations pursued automation to improve customer satisfaction.

    What best describes your main motivation to pursue automation, above other considerations?

    A bar graph is depicted showing the following dataset: Increase staff focus on high-level tasks by automating repetitive tasks:	69%; Increase productivity of existing staff to avoid increasing headcount:	67%; Reduce errors made by people:	59%; Improve customer satisfaction:	52%; Achieve cost savings through reduction in headcount:	35%; Increase revenue by enabling higher volume of work:	30%

    Tech Trends 2023 Survey

    To what extent did your organization shift its processes from being manually completed to digitally completed during past year?

    A bar graph is depicted showing the extent to which organizations shifted processes from manual to digital during the past year for 2022 and 2023, from Tech Trends 2023 Survey

    With the shift in focus from implementing new applications to support digital transformation to operating in the new environment, IT must shift its own focus to help realize the value from these systems. At the same time, IT must reorganize itself around the new value chain that's defined by a customer perspective.

    IT struggles to deliver business value or support innovation

    Many current IT departments are structured around legacy processes that hinder their ability to deliver business value. CIOs are trying to grapple with the misalignment between the modern business structure and keep up with the demands for innovation and agility.

    Almost nine in ten CIOs say that business frustration with IT's failure to deliver value is a pain point. Their supervisors have a slightly more favorable opinion, with 76% agreeing that it is a pain point.

    Similarly, nine in ten CIOs say that IT limits affecting business innovation and agility is a pain point, while 81% of their supervisors say the same.

    Supervisors say that IT should "ensure benefits delivery" as the most important process (CEO-CIO Alignment Program). This underlines the need to achieve alignment, optimize service delivery, and facilitate innovation. The pain points identified here will need to be resolved to make this possible.

    IT departments will need to contend with a tight labor market and economic volatility in the year ahead. If this drives down resource capacity, it will be even more critical to tightly align with the organization.

    Views business frustration with IT failure to deliver value as a pain point

    CXO 76%
    CIO 88%

    Views IT limits affecting business innovation and agility as a pain point

    CXO 81%
    CIO

    90%

    CEO-CIO Alignment Program

    Opportunities

    Define IT's value by its contributions to enterprise value

    Communicate the performance of IT to stakeholders by attributing positive changes in enterprise value to IT initiatives. For example, if a digital channel helped increase sales in one area, then IT can claim some portion of that revenue. If optimization of another process resulted in cost savings, then IT can claim that as a contribution toward the bottom line. CIOs should develop their handle on how KPIs influence revenues and costs. Keeping tabs on normalized year-over-year revenue comparisons can help demonstrate that IT contributions are making an impact on driving profitability.

    Go with buy versus build if it's a commodity service

    Most back-office functions common to operating a company can be provided by cloud-based applications accessed through a web browser. There's no value in having IT spend time maintaining on-premises applications that require hosting and ongoing maintenance. Organizations that are still accruing technical debt and are unable to modernize will increasingly find it is negatively impacting employee experience, as users expect their working experience to be similar to their experience with consumer applications. In addition, IT will continue to have capacity challenges as resources will be consumed by maintenance. As they seek to outsource some applications, IT will need to consider the geopolitical risk of certain jurisdictions in selecting a provider.

    Redefine how employee performance is tracked

    The concept of "clocking in" for a shift and spending eight hours a day on the job doesn't help guide IT toward its objectives or create any higher sense of purpose. Leaders must work to create a true sense of accountability by reaching consensus on what key performance indicators are important and tasking staff to improve them. Metrics should clearly link back to business outcomes and IT should understand the role they play in delivering a good customer experience.

    Risks

    Lack of talent available to drive transformation

    CIOs are finding it difficult to hire the talent needed to create the capacity they need as digital demands of their organizations increase. This could slow the pace of change as new positions created in IT go unfilled. CIOs may need to consider reskilling and rebalancing workloads of existing staff in the short term and tap outsourcing providers to help make up shortfalls.

    Resistance to change

    New processes may have been given the official rubber stamp, but that doesn't mean staff are adhering to them. Organizations that reorganize themselves must take steps to audit their processes to ensure they're executed the way they intend. Some employees may feel they are being made obsolete or pushed out of their jobs and become disengaged.

    Short-term increased costs

    Restructuring the organization can come with the need for new tools and more training. It may be necessary to operate with redundant staff for the transitional period. Some additional expenses might be incurred for a brief period as the new structure is being put in place.

    Emphasize the value of IT in driving revenue

    Salman Ali, CIO, McDonald's Germany

    As the new CIO to McDonald's Germany, Salman Ali came on board with an early mandate to reorganize the IT department. The challenge is to merge two organizations together: one that delivers core technology services of infrastructure, security, service desk, and compliance and one that delivers customer-facing technology such as in-store touchscreen kiosks and the mobile app for food delivery. He is looking to organize this new-look department around the technology in the hands of both McDonald's staff and its customers. In conversations with his stakeholders, Ali emphasizes the value that IT is driving rather than discussing the costs that go into it. For example, there was a huge cost in integrating third-party meal delivery apps into the point-of-sales system, but the seamless experience it delivers to customers looking to place an order helps to drive a large volume of sales. He plans to reorganize his department around this value-driven approach. The organization model will be executed with clear accountability in place and key performance indicators to measure success.

    "Technology is no longer just an enabler. It's now a strategic business function. When they talk about digital, they are really talking about what's in the customers' hands and what do they use to interact with the business directly? Digital transformation has given technology a new front seat that's really driving the business."

    CASE STUDY
    Overhauling the "heartbeat" of the organization

    Ernest Solomon, Former CIO, LAWPRO

    LAWPRO is a provider of professional liability insurance and title insurance in Canada. The firm is moving its back-office applications from a build approach to a buy approach and focusing its build efforts on customer-facing systems tied to revenue generation. CIO Ernest Solomon says his team has been developing on a legacy platform for two decades, but it's time to modernize. The firm is replacing its legacy platform and moving to a cloud-based system to address technical debt and improve the experience for staff and customers. The claims and policy management platform, the "heartbeat" of the organization, is moving to a software-as-a-service model. At the same time, the firm's customer-facing Title Plus application is being moved to a cloud-native, serverless architecture. Solomon doesn't see the need for IT to spend time building services for the back office, as that doesn't align with the mission of the organization. Instead, he focuses his build efforts on creating a competitive advantage.

    "We're redefining the customer experience, which is how do we move the needle in a positive direction for all the lawyers that interact with us? How do we generate that value-based proposition and improve their interactions with our organization?"

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Enterprise Application Selection & Implementation

    Help leaders manage their teams effectively in a hybrid environment by providing them with the right tools and tactics to manage the challenges of hybrid work. Focus on promoting teamwork and fostering connection.

    Embrace Business-Managed Applications

    Improve Performance Measurement

    Drive the most important IT process in the eyes of supervisors by defining business value and linking IT spend to it. Make benefits realization part of your IT governance.

    Maximize Business Value From IT Through Benefits Realization

    Improve IT Organizational Design

    Showcase IT's value to the business by aligning IT spending and staffing to business functions. Provide transparency into business consumption of IT and compare your spending to your peers'.

    IT Spend & Staffing Benchmarking

    The Five Priorities

    Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

    1. Adjust IT operations to manage for inflation
    2. Prepare your data pipeline to train AI
    3. Go all in on zero-trust security
    4. Engage employees in the digital age
    5. Shape the IT organization to improve customer experience

    Expert Contributors

    In order of appearance

    Denise Cornish, Associate VP of IT and Deputy COO, Western University of Health Sciences

    Jim Love, CIO, IT World Canada

    Christian Magsisi, Vice President of Venue and Digital Technology, MLSE

    Humza Teherany, Chief Technology Officer, MLSE

    Serge Suponitskiy, CIO, Brosnan Risk Consultants

    David Senf, National Cybersecurity Strategist, Bell

    Roberto Eberhardt, CIO, Ontario Legislative Assembly

    Mike Russell, Virginia Community College System

    Salman Ali, CIO, McDonald's Germany

    Ernest Solomon, Former CIO, LAWPRO

    Bibliography

    Anderson, Brad, and Seth Patton. "In a Hybrid World, Your Tech Defines Employee Experience." Harvard Business Review, 18 Feb. 2022. Accessed 12 Dec. 2022.
    "Artificial Intelligence Is Permeating Business at Last." The Economist, 6 Dec. 2022. Accessed 12 Dec. 2022.
    Badlani, Danesh Kumar, and Adrian Diglio. "Microsoft Open Sources Its Software Bill
    of Materials (SBOM) Generation Tool." Engineering@Microsoft, 12 July 2022. Accessed
    12 Dec. 2022.
    Birch, Martin. "Council Post: Equipping Employees To Succeed In Digital Transformation." Forbes, 9 Aug. 2022. Accessed 7 Dec. 2022.
    Bishop, Katie. "Is Remote Work Worse for Wellbeing than People Think?" BBC News,
    17 June 2022. Accessed 7 Dec. 2022.
    Carlson, Brian. "Top 5 Priorities, Challenges For CIOs To Recession-Proof Their Business." The Customer Data Platform Resource, 19 July 2022. Accessed 7 Dec. 2022.
    "CIO Priorities: 2020 vs 2023." IT PRO, 23 Sept. 2022. Accessed 2 Nov. 2022.
    cyberinsiders. "Frictionless Zero Trust Security - How Minimizing Friction Can Lower Risks and Boost ROI." Cybersecurity Insiders, 9 Sept. 2021. Accessed 7 Dec. 2022.
    Garg, Sampak P. "Top 5 Regulatory Reasons for Implementing Zero Trust."
    CSO Online, 27 Oct. 2022. Accessed 7 Dec. 2022.
    Heikkilä, Melissa. "The Viral AI Avatar App Lensa Undressed Me—without My Consent." MIT Technology Review, 12 Dec. 2022. Accessed 12 Dec. 2022.
    Jackson, Brian. "How the Toronto Raptors Operate as the NBA's Most Data-Driven Team." Spiceworks, 1 Dec. 2022. Accessed 12 Dec. 2022.
    Kiss, Michelle. "How the Digital Age Has Transformed Employee Engagement." Spiceworks,16 Dec. 2021. Accessed 7 Dec. 2022.
    Matthews, David. "EU Hopes to Build Aligned Guidelines on Artificial Intelligence with US." Science|Business, 22 Nov. 2022. Accessed 12 Dec. 2022.
    Maxim, Merritt. "New Security & Risk Planning Guide Helps CISOs Set 2023 Priorities." Forrester, 23 Aug. 2022. Accessed 7 Dec. 2022.
    Miller, Michael J. "Gartner Surveys Show Changing CEO and Board Concerns Are Driving a Different CIO Agenda for 2023." PCMag, 20 Oct. 2022. Accessed 2 Nov. 2022.
    MIT Lincoln Laboratory. "Overview of Zero Trust Architectures." YouTube,
    2 March 2022. Accessed 7 Dec. 2022.
    MIT Technology Review Insights. "CIO Vision 2025: Bridging the Gap between BI and AI." MIT Technology Review, 20 Sept. 2022. Accessed 1 Nov. 2022.
    Paramita, Ghosh. "Data Architecture Trends in 2022." DATAVERSITY, 22 Feb. 2022. Accessed 7 Dec. 2022.
    Rosenbush, Steven. "Cybersecurity Tops the CIO Agenda as Threats Continue to Escalate - WSJ." The Wall Street Journal, 17 Oct. 2022. Accessed 2 Nov. 2022.
    Sacolick, Isaac. "What's in the Budget? 7 Investments for CIOs to Prioritize." StarCIO,
    22 Aug. 2022. Accessed 2 Nov. 2022.
    Singh, Yuvika. "Digital Culture-A Hurdle or A Catalyst in Employee Engagement." International Journal of Management Studies, vol. 6, Jan. 2019, pp. 54–60. ResearchGate, https://doi.org/10.18843/ijms/v6i1(8)/08.
    "Talent War Set to Become Top Priority for CIOs in 2023, Study Reveals." CEO.digital,
    8 Sept. 2022. Accessed 7 Dec. 2022.
    Tanaka, Rodney. "WesternU COMP and COMP-Northwest Named Apple Distinguished School." WesternU News. 10 Feb. 2022. Accessed 12 Dec. 2022.
    Wadhwani, Sumeet. "Meta's New Large Language Model Galactica Pulled Down Three Days After Launch." Spiceworks, 22 Nov. 2022. Accessed 12 Dec. 2022.
    "World Economic Outlook." International Monetary Fund (IMF), 11 Oct. 2022. Accessed
    14 Dec. 2022.

    Govern Office 365

    • Buy Link or Shortcode: {j2store}52|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $21,473 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications

    Exploring the enterprise collaboration marketspace is difficult. The difficulty in finding a suitable collaboration tool is that there are many ways to collaborate, with just as many tools to match.

    Our Advice

    Critical Insight

    Map your organizational goals to the administration features available in the Office 365 console. Your governance should reflect your requirements.

    Impact and Result

    The result is a defined plan for controlling Office 365 by leveraging hard controls to align Microsoft’s toolset with your needs and creating acceptable use policies and communication plans to highlight the impact of the transition to Office 365 on the end-user population.

    Govern Office 365 Research & Tools

    Start here – read the Executive Brief

    Understand the challenges posed by governing Office 365 and the necessity of deploying proper governance.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define your organizational goals

    Develop a list of organizational goals that will enable you to leverage the Office 365 toolset to its fullest extent while also implementing sensible governance.

    • Govern Office 365 – Phase 1: Define Your Organizational Goals

    2. Control your Office 365 environment

    Use Info-Tech's toolset to build out controls for OneDrive, SharePoint, and Teams that align with your organizational goals as they relate to governance.

    • Govern Office 365 – Phase 2: Control Your Office 365 Environment
    • Office 365 Control Map
    • Microsoft Teams Acceptable Use Policy
    • Microsoft SharePoint Online Acceptable Use Policy
    • Microsoft OneDrive Acceptable Use Policy

    3. Communicate your results

    Communicate the results of your Office 365 governance program using Info-Tech's toolset.

    • Govern Office 365 – Phase 3: Communicate Your Results
    • Office 365 Communication Plan Template

    Infographic

    Workshop: Govern Office 365

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Goals

    The Purpose

    Develop a plan to assess the capabilities of the Office 365 solution and select licensing for the product.

    Key Benefits Achieved

    Office 365 capability assessment (right-size licensing)

    Acceptable Use Policies

    Mapped Office 365 controls

    Activities

    1.1 Review organizational goals.

    1.2 Evaluate Office 365 capabilities.

    1.3 Conduct the Office 365 capability assessment.

    1.4 Define user groups.

    1.5 Finalize licensing.

    Outputs

    List of organizational goals

    Targeted licensing decision

    2 Build Refined Governance Priorities

    The Purpose

    Leverage the Office 365 governance framework to develop and refined governance priorities.

    Build a SharePoint acceptable use policy and define SharePoint controls.

    Key Benefits Achieved

    Refined governance priorities

    List of SharePoint controls

    SharePoint acceptable use policy

    Activities

    2.1 Explore the Office 365 Framework.

    2.2 Conduct governance priorities refinement exercise.

    2.3 Populate the Office 365 control map (SharePoint).

    2.4 Build acceptable use policy (SharePoint).

    Outputs

    Refined governance priorities

    SharePoint control map

    Sharepoint acceptable use policy

    3 Control Office 365

    The Purpose

    Implement governance priorities for OneDrive and Teams.

    Key Benefits Achieved

    Clearly defined acceptable use policies for OneDrive and Teams

    List of OneDrive and Teams controls

    Activities

    3.1 Populate the Office 365 Control Map (OneDrive).

    3.2 Build acceptable use policy (OneDrive).

    3.3 Populate the Office 365 Control Map (Teams).

    3.4 Build acceptable use policy (Teams).

    Outputs

    OneDrive controls

    OneDrive acceptable use policy

    Teams controls

    Teams acceptable use policy

    4 SOW Walkthrough

    The Purpose

    Build a plan to communicate coming changes to the productivity environment.

    Key Benefits Achieved

    Communication plan covering SharePoint, Teams, and OneDrive

    Activities

    4.1 Build SharePoint one pager.

    4.2 Build OneDrive one pager.

    4.3 Build Teams one pager.

    4.4 Finalize communication plan.

    Outputs

    SharePoint one pager

    OneDrive one pager

    Teams one pager

    Overall finalized communication plan

    5 Communicate and Implement

    The Purpose

    Finalize deliverables and plan post-workshop communications.

    Key Benefits Achieved

    Completed Office 365 governance plan

    Finalized deliverables

    Activities

    5.1 Completed in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    5.3 Validate governance with stakeholders.

    Outputs

    Completed acceptable use policies

    Completed control map

    Completed communication plan

    Completed licensing decision

    Streamline Application Management

    • Buy Link or Shortcode: {j2store}403|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $64,272 Average $ Saved
    • member rating average days saved: 40 Average Days Saved
    • Parent Category Name: Maintenance
    • Parent Category Link: /maintenance
    • Today’s rapidly scaling and increasingly complex products create mounting pressure on delivery teams to release new features and changes quickly and with sufficient quality.
    • Many organizations lack the critical management capabilities to balance maintenance with new development and ensure high product value.
    • Application management is often viewed as a support function rather than an enabler of business growth. Focus and investments are only placed on management when it becomes a problem.
    • The lack of governance and practice accountability leaves application management in a chaotic state: politics take over, resources are not strategically allocated, and customers are frustrated.

    Our Advice

    Critical Insight

    • New features, fixes, and enhancements are all treated the same and managed in a single backlog. Teams need to focus on prioritizing their efforts on what is valuable to the organization, not to a single department.
    • Business integration is not optional. The business (i.e. product owners) must be represented in guiding delivery efforts and performing ongoing validation and verification of new features and changes.

    Impact and Result

    • Justify the necessity to optimize application management. Gain a grounded understanding of stakeholder objectives and validate their achievability against the current maturity of application management.
    • Strengthen backlog management practices. Obtain a holistic picture of the business and technical impacts, risks, value, complexity, and urgency of each backlog item in order to justify its priority and relevance. Apply the appropriate management approach to each software product according to its criticality and value to the business.
    • Establish and govern a repeatable process. Develop a management process with well-defined steps, quality controls, and roles and responsibilities, and instill good practices to improve the success of delivery.

    Streamline Application Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should sustain your application management practice, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define your priorities

    State the success criteria of your application management practice through defined objectives and metrics. Assess your maturity.

    • Streamline Application Management – Phase 1: Define Your Priorities
    • Application Management Strategy Template
    • Application Management Maturity Assessment Tool

    2. Govern application management

    Structure your application management governance model with the right process and roles. Inject product ownership into your practice.

    • Streamline Application Management – Phase 2: Govern Application Management

    3. Build your optimization roadmap

    Build your application management optimization roadmap to achieve your target state.

    • Streamline Application Management – Phase 3: Build Your Optimization Roadmap
    [infographic]

    Workshop: Streamline Application Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Your Priorities

    The Purpose

    State the success criteria of your application management practice through defined objectives and metrics.

    Assess your maturity.

    Key Benefits Achieved

    Grounded stakeholder expectations

    Application management maturity and identification of optimization opportunities

    Activities

    1.1 Set your objectives.

    1.2 Assess your maturity.

    Outputs

    Application management objectives and metrics

    Application management maturity and optimization opportunities

    2 Govern Application Management

    The Purpose

    Structure your application management governance model with the right process and roles.

    Inject product ownership into your practice.

    Key Benefits Achieved

    Management approach aligned to product value and criticality

    Management techniques to govern the product backlog

    Target-state application management process and roles

    Activities

    2.1 Select your management approach.

    2.2 Manage your single product backlog.

    2.3 Optimize your management process.

    2.4 Define your management roles.

    Outputs

    Application management approach for each application

    Product backlog management practices

    Application management process

    Application management roles and responsibilities and communication flow

    3 Build Your Optimization Roadmap

    The Purpose

    Build your application management optimization roadmap to achieve your target state.

    Key Benefits Achieved

    Optimization opportunities

    Application management optimization roadmap

    Activities

    3.1 Build your optimization roadmap.

    Outputs

    Application management optimization roadmap

    2023-Q1 Research Agenda

    This 2023-Q1 research agenda slide deck provides you with a comprehensive overview of our most up-to-date published research. Each piece offers you valuable insights, allowing you to take effective decisions and informed actions. All TY|Info-tech research is backed by our team of expert analysts who share decades of IT and industry experience.

    Register to read more …

    Build an IT Employee Engagement Program

    • Buy Link or Shortcode: {j2store}544|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $5,734 Average $ Saved
    • member rating average days saved: 8 Average Days Saved
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • IT’s performance and stakeholder satisfaction with IT services hinge on IT’s ability to attract and retain top talent and to motivate teams to go above and beyond.
    • With the growing IT job market, turnover is a serious threat to IT’s ability to deliver seamless value and continuously drive innovation.
    • Engagement initiatives are often seen as being HR’s responsibility; however, IT leadership needs to take accountability for the retention and productivity of their employees in order to drive business value.

    Our Advice

    Critical Insight

    • Engagement is a two-way street. Initiatives must address a known need and be actively sought by employees – not handed down from management.
    • Engagement initiatives are useless unless they target the right issues. It can be tempting to focus on the latest perks and gadgets and ignore difficult issues. Use a systematic approach to uncover and tackle the real problems.
    • It’s time for IT leadership to step up. IT leaders have a much bigger impact on IT staff engagement than HR ever can. Leverage this power to lead your team to peak performance.

    Impact and Result

    • Info-Tech engagement diagnostics and accompanying tools will help you perform a deep dive into the root causes of disengagement on your team.
    • The guidance that accompanies Info-Tech’s tools will help you avoid common engagement program pitfalls and empower IT leaders to take charge of their own team’s engagement.

    Build an IT Employee Engagement Program Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to discover why engagement is critical to IT performance, review Info-Tech’s methodology, and understand how our tools will help you construct an effective employee engagement program.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Measure employee engagement

    Use Info-Tech's Pulse or Full Engagement Surveys to measure employee engagement.

    • Improve Employee Engagement to Drive IT Performance – Phase 1: Measure Employee Engagement
    • Engagement Strategy Record
    • Engagement Communication Template

    2. Analyze results and ideate solutions

    Understand the drivers of engagement that are important for your team, and involve your staff in brainstorming engagement initiatives.

    • Improve Employee Engagement to Drive IT Performance – Phase 2: Analyze Results and Ideate Solutions
    • Engagement Survey Results Interpretation Guide
    • Full Engagement Survey Focus Group Facilitation Guide
    • Pulse Engagement Survey Focus Group Facilitation Guide
    • Focus Group Facilitation Guide Driver Definitions
    • One-on-One Manager Meeting Worksheet

    3. Select and implement engagement initiatives

    Select engagement initiatives for maximal impact, create an action plan, and establish open and ongoing communication about engagement with your team.

    • Improve Employee Engagement to Drive IT Performance – Phase 3: Select and Implement Engagement Initiatives
    • Summary of Interdepartmental Engagement Initiatives
    • Engagement Progress One-Pager
    [infographic]

    Workshop: Build an IT Employee Engagement Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 (Preparation) Run Engagement Survey

    The Purpose

    Select and run your engagement survey prior to the workshop.

    Key Benefits Achieved

    Receive an in-depth report on your team’s engagement drivers to form the basis of your engagement strategy.

    Activities

    1.1 Select engagement survey.

    1.2 Identify engagement program goals and metrics.

    1.3 Run engagement survey.

    Outputs

    Full or Pulse engagement survey report

    Engagement survey results interpretation guide

    2 Explore Engagement

    The Purpose

    To understand the current state of engagement and prepare to discuss the drivers behind it with your staff.

    Key Benefits Achieved

    Empower your leadership team to take charge of their own teams’ engagement.

    Activities

    2.1 Review engagement survey results.

    2.2 Finalize focus group agendas.

    2.3 Train managers.

    Outputs

    Customized focus group agendas

    3 Hold Focus Groups

    The Purpose

    Establish an open dialogue with your staff to understand what would improve their engagement.

    Key Benefits Achieved

    Employee-generated initiatives have the greatest chance at success.

    Activities

    3.1 Identify priority drivers.

    3.2 Identify engagement KPIs.

    3.3 Brainstorm engagement initiatives.

    3.4 Vote on initiatives within teams.

    Outputs

    Summary of focus groups results

    Identified engagement initiatives

    Identified engagement initiatives

    4 Select and Plan Initiatives

    The Purpose

    Learn the characteristics of successful engagement initiatives and build execution plans for each.

    Key Benefits Achieved

    Choose initiatives with the greatest impact on your team’s engagement, and ensure you have the necessary resources for success.

    Activities

    4.1 Select engagement initiatives with IT leadership.

    4.2 Create initiative project plans.

    4.3 Present project plans.

    4.4 Define implementation checkpoints.

    4.5 Develop communications plan.

    4.6 Define strategy for ongoing engagement monitoring.

    Outputs

    Engagement project plans

    Implementation and communication checkpoints

    Further surveys planned (optional)

    5 Additional Leadership Training

    The Purpose

    Select training modules that best address your team’s needs from Info-Tech’s modular leadership training program.

    Key Benefits Achieved

    Arm your IT leadership team with the key skills of effective leadership, tailored to their existing experience level.

    Activities

    5.1 Adopting an Integrated Leadership Mindset

    5.2 Optimizing Talent Leadership Practices

    5.3 Driving Diversity & Inclusion

    5.4 Fortifying Internal Stakeholder Relations

    5.5 Engaging Executives and the Board

    5.6 Crafting Your Leadership Brand

    5.7 Crafting and Delivering Compelling Presentations

    5.8 Communication & Difficult Conversations

    5.9 Conflict Management

    5.10 Performance Management

    5.11 Feedback & Coaching

    5.12 Creating a Culture of Personal Accountability

    Outputs

    Develop the skills to lead resourcefully in times of uncertainty

    Apply leadership behaviors across enterprise initiatives to deploy and develop talent successfully

    Develop diversity and inclusion practices that turn the IT function and leaders into transformative champions of inclusion

    Identify elements of effective partnering to maximize the impact of internal interactions

    Understand the major obstacles to CEO and board relevance and uncover the keys to elevating your internal executive profile

    Develop a leadership brand statement that demonstrates leadership competency and is aligned with the brand, mission, vision, and goals of the organization

    Identify the components of effective presentations and hone your presentation skills

    Gain the skills to confront and drive solutions from difficult situations

    Develop strategies to engage in conflict constructively and reach a resolution that benefits the team or organization

    Learn to identify the root causes of low performance and develop the skills to guide employees through the process of improvement

    Adopt a behavior-focused coaching model to help managers sustain and apply effective coaching principles

    Understand how and when to encourage autonomy and how to empower employees to take success into their own hands

    Excel Through COVID-19 With a Focused Business Architecture

    • Buy Link or Shortcode: {j2store}604|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Strategy & Operating Model
    • Parent Category Link: /strategy-and-operating-model
    • Business architecture, including value stream and business capability models, is the tool you need to reposition your organization for post-COVID-19 success.
    • Your business architecture model represents your strategic business components. It guides the development of all other architectures to enable new and improved business function.
    • Evaluating your current business architecture, or indeed rebuilding it, creates a foundation for facilitated discussions and target state alignment between IT and the senior C-suite.
    • New projects and initiatives during COVID-19 must evolve business architecture so that your front-line workers and your customers are supported through the resolution of the pandemic. Specifically, your projects and initiatives must be directly traced to evolving your architecture.
    • Business architecture anchors downstream architectural iterations and initiatives. Measure business capability enablement results directly from projects and initiatives using a business architecture model.

    Our Advice

    Critical Insight

    • Focus on your most disruptive, game-changing innovations that have been on the backburner for some time. Here you will find the ingredients for post-pandemic success.

    Impact and Result

    • Craft your business architecture model, aligned to the current climate, to refocus on your highest priority goals and increase your chances of post-COVID-19 excellence.

    Excel Through COVID-19 With a Focused Business Architecture Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create minimum viable business architecture

    Create your minimum viable business architecture.

    • Excel Through COVID-19 With a Focused Business Architecture Storyboard
    • Excel Through COVID-19 With a Focused Business Architecture – Healthcare
    • Excel Through COVID-19 With a Focused Business Architecture – Higher Education
    • Excel Through COVID-19 With a Focused Business Architecture – Manufacturing
    • Business Capability Modeling

    2. Identify COVID-19 critical capabilities for your industry

    If there are a handful of capabilities that your business needs to focus on right now, what are they?

    3. Brainstorm COVID-19 business opportunities

    Identify business opportunities.

    4. Enrich capability model with COVID-19 opportunities

    Enrich your capability model.

    [infographic]

    Build Your Generative AI Roadmap

    • Buy Link or Shortcode: {j2store}105|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $33,499 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    Generative AI has made a grand entrance, presenting opportunities and causing disruption across organizations and industries. Moving beyond the hype, it’s imperative to build and implement a strategic plan to adopt generative AI and outpace competitors.

    Yet generative AI has to be done right because the opportunity comes with risks and the investments have to be tied to outcomes.

    Adopt a human-centric and value-based approach to generative AI

    IT and business leaders will need to be strategic and deliberate to thrive as AI adoption changes industries and business operations.

    • Establish responsible AI guiding principles: Address human-based requirements to govern how generative AI applications are developed and deployed.
    • Align generative AI initiatives to strategic drivers for the organization: Assess generative AI opportunities by seeing how they align to the strategic drivers of the organization. Examples of strategic drivers include increasing revenue, reducing costs, driving innovation, and mitigating risk.
    • Measure and communicate effectively: Have clear metrics in place to measure progress and success of AI initiatives and communicate both policies and results effectively.

    Build Your Generative AI Roadmap Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build Your Generative AI Roadmap Deck – A step-by-step document that walks you through how to leverage generative AI and align with the organization’s mission and objectives to increase revenue, reduce costs, accelerate innovation, and mitigate risk.

    This blueprint outlines how to build your generative AI roadmap, establish responsible AI principles, prioritize opportunities, and develop policies for usage. Establishing and adhering to responsible AI guiding principles provides safeguards for the adoption of generative AI applications.

    • Build Your Generative AI Roadmap – Phases 1-4

    2. AI Maturity Assessment and Roadmap Tool – Develop deliverables that will be milestones in creating your organization’s generative AI roadmap for implementing candidate applications.

    This tool provides guidance for developing the following deliverables:

  • Responsible AI guiding principles
  • Current AI maturity
  • Prioritized candidate generative AI applications
  • Generative AI policies
  • Generative AI roadmap
    • AI Maturity Assessment and Roadmap Tool

    3. The Era of Generative AI C‑Suite Presentation – Develop responsible AI guiding principles, assess AI capabilities and readiness, and prioritize use cases based on complexity and alignment with organizational goals and responsible AI guiding principles.

    This presentation template uses sample business capabilities (use cases) from the Marketing & Advertising business capability map to provide examples of candidates for generative AI applications. The final executive presentation should highlight the value-based initiatives driving generative AI applications, the benefits and risks involved, how the proposed generative AI use cases align to the organization’s strategy and goals, the success criteria for the proofs of concept, and the project roadmap.

    • The Era of Generative AI C‑Suite Presentation

    Infographic

    Further reading

    Build Your Generative AI Roadmap

    Leverage the power of generative AI to improve business outcomes.

    Analyst Perspective

    We are entering the era of generative AI. This is a unique time in our history where the benefits of AI are easily accessible and becoming pervasive, with copilots emerging in the major business tools we use today. The disruptive capabilities that can potentially drive dramatic benefits also introduce risks that need to be planned for.

    A successful business-driven generative AI roadmap requires:

    • Establishing responsible AI guiding principles to guide the development and deployment of generative AI applications.
    • Assess generative AI opportunities by using criteria based on the organization's mission and objectives, responsible AI guiding principles, and the complexity of the initiative.
    • Communicating, educating on, and enforcing generative AI usage policies.

    Bill Wong, Principal Research Director

    Bill Wong
    Principal Research Director
    Info-Tech Research Group

    Executive Summary

    Your Challenge Common Obstacles Solution

    Generative AI is disrupting all industries and providing opportunities for organization-wide advantages.

    Organizations need to understand this disruptive technology and trends to properly develop a strategy for leveraging this technology successfully.

    • Generative AI requires alignment to a business strategy.
    • IT is an enabler and needs to align with and support the business stakeholders.
    • Organizations need to adopt a data-driven culture.

    All organizations, regardless of size, should be planning how to respond to this new and innovative technology.

    Business stakeholders need to cut through the hype surrounding generative AI like ChatGPT to optimize investments for leveraging this technology to drive business outcomes.

    • Understand the market landscape, benefits, and risks associated with generative AI.
    • Plan for responsible AI.
    • Understand the gaps the organization needs to address to fully leverage generative AI.

    Without a proper strategy and responsible AI guiding principles, the risks to deploying this technology could negatively impact business outcomes.

    Info-Tech's human-centric, value-based approach is a guide for deploying generative AI applications and covers:

    • Responsible AI guiding principles
    • AI Maturity Model
    • Prioritizing candidate generative AI-based use cases
    • Developing policies for usage

    This blueprint will provide the list of activities and deliverables required for the successful deployment of generative AI solutions.

    Info-Tech Insight
    Create awareness among the CEO and C-suite of executives on the potential benefits and risks of transforming the business with generative AI.

    Key concepts

    Artificial Intelligence (AI)
    A field of computer science that focuses on building systems to imitate human behavior, with a focus on developing AI models that can learn and can autonomously take actions on behalf of a human.

    AI Maturity Model
    The AI Maturity Model is a useful tool to assess the level of skills an organization has with respect to developing and deploying AI applications. The AI Maturity Model has multiple dimensions to measure an organization's skills, such as AI governance, data, people, process, and technology.

    Responsible AI
    Refers to guiding principles to govern the development, deployment, and maintenance of AI applications. In addition, these principles also provide human-based requirements that AI applications should address. Requirements include safety and security, privacy, fairness and bias detection, explainability and transparency, governance, and accountability.

    Generative AI
    Given a prompt, a generative AI system can generate new content, which can be in the form of text, images, audio, video, etc.

    Natural Language Processing (NLP)
    NLP is a subset of AI that involves machine interpretation and replication of human language. NLP focuses on the study and analysis of linguistics as well as other principles of artificial intelligence to create an effective method of communication between humans and machines or computers.

    ChatGPT
    An AI-powered chatbot application built on OpenAI's GPT-3.5 implementation, ChatGPT accepts text prompts to generate text-based output.

    Your challenge

    This research is designed to help organizations that are looking to:

    • Establish responsible AI guiding principles to address human-based requirements and to govern the development and deployment of the generative AI application.
    • Identify new generative AI-enabled opportunities to transform the work environment to increase revenue, reduce costs, drive innovation, or reduce risk.
    • Prioritize candidate use cases and develop generative AI policies for usage.
    • Have clear metrics in place to measure the progress and success of AI initiatives.
    • Build the roadmap to implement the candidate use cases.

    Common obstacles

    These barriers make these goals challenging for many organizations:

    • Getting all the right business stakeholders together to develop the organization's AI strategy, vision, and objectives.
    • Establishing responsible AI guiding principles to guide generative AI investments and deployments.
    • Advancing the AI maturity of the organization to meet requirements of data and AI governance as well as human-based requirements such as fairness, transparency, and accountability.
    • Assessing generative AI opportunities and developing policies for use.

    Info-Tech's definition of an AI-enabled business strategy

    • A high-level plan that provides guiding principles for applications that are fully driven by the business needs and capabilities that are essential to the organization.
    • A strategy that tightly weaves business needs and the applications required to support them. It covers AI architecture, adoption, development, and maintenance.
    • A way to ensure that the necessary people, processes, and technology are in place at the right time to sufficiently support business goals.
    • A visionary roadmap to communicate how strategic initiatives will address business concerns.

    An effective AI strategy is driven by the business stakeholders of the organization and focused on delivering improved business outcomes.

    Build Your Generative AI Roadmap

    This blueprint in context

    This guidance covers how to create a tactical roadmap for executing generative AI initiatives

    Scope

    • This blueprint is not a proxy for a fully formed AI strategy. Step 1 of our framework necessitates alignment of your AI and business strategies. Creation of your AI strategy is not within the scope of this approach.
    • This approach sets the foundations for building and applying responsible AI principles and AI policies aligned to corporate governance and key regulatory obligations (e.g. privacy). Both steps are foundational components of how you should develop, manage, and govern your AI program but are not a substitute for implementing broader AI governance.

    Guidance on how to implement AI governance can be found in the blueprint linked below.

    Tactical Plan

    Download our AI Governance blueprint

    Measure the value of this blueprint

    Leverage this blueprint's approach to ensure your generative AI initiatives align with and support your key business drivers

    This blueprint will guide you to drive and improve business outcomes. Key business drivers will often focus on:

    • Increasing revenue
    • Reducing costs
    • Improving time to market
    • Reducing risk

    In phase 1 of this blueprint, we will help you identify the key AI strategy initiatives that align to your organization's goals. Value to the organization is often measured by the estimated impact on revenue, costs, time to market, or risk mitigation.

    In phase 4, we will help you develop a plan and a roadmap for addressing any gaps and introducing the relevant generative AI capabilities that drive value to the organization based on defined business metrics.

    Once you implement your 12-month roadmap, start tracking the metrics below over the next fiscal year (FY) to assess the effectiveness of measures:

    Business Outcome Objective Key Success Metric
    Increasing Revenue Increased revenue from identified key areas
    Reducing Costs Decreased costs for identified business units
    Improving Time to Market Time savings and accelerated revenue adoption
    Reducing Risk Cost savings or revenue gains from identified business units

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3 Phase 4

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Identify AI strategy, vision, and objectives.

    Call #3: Define responsible AI guiding principles to adopt and identify current AI maturity level. Call #4: Assess and prioritize generative AI initiatives and draft policies for usage.

    Call #5: Build POC implementation plan and establish metrics for POC success.

    Call #6: Build and deliver executive-level generative AI presentation.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 5 to 8 calls over the course of 1 to 2 months.

    AI Roadmap Workshop Agenda Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Session 1 Session 2 Session 3 Session 4
    Establish Responsible AI Guiding Principles Assess AI Maturity Prioritize Opportunities and Develop Policies Build Roadmap
    Trends Consumer groups, organizations, and governments around the world are demanding that AI applications adhere to human-based values and take into consideration possible impacts of the technology on society. Leading organizations are building AI models guided by responsible AI guiding principles. Organizations delivering new applications without developing policies for use will produce negative business outcomes. Developing a roadmap to address human-based values is challenging. This process introduces new tools, processes, and organizational change.
    Activities
    • Focus on working with executive stakeholders to establish guiding principles for the development and delivery of new applications.
    • Assess the organization's current capabilities to deliver AI-based applications and address human-based requirements.
    • Leverage business alignment criteria, responsible AI guiding principles, and project characteristics to prioritize candidate uses cases and develop policies.
    • Build the implementation plan, POC metrics, and success criteria for each candidate use case.
    • Build the roadmap to address the gap between the current and future state and enable the identified use cases.
    Inputs
    • Understanding of external legal and regulatory requirements and organizational values and goals.
    • Risk assessment of the proposed use case and a plan to monitor its impact.
    • Assessment of the organization's current AI capabilities with respect to its AI governance, data, people, process, and technology infrastructure.
    • Criteria to assess candidate use cases by evaluating against the organization's mission and goals, the responsible AI guiding principles, and complexity of the project.
    • Risk assessment for each proposed use case
    • POC implementation plan for each candidate use case
    Deliverables
    1. Foundational responsible AI guiding principles
    2. Additional customized guiding principles to add for consideration
    1. Current level of AI maturity, resources, and capacity
    1. Prioritization of opportunities
    2. Generative AI policies for usage
    1. Roadmap to a target state that enables the delivery of the prioritized generative AI use cases
    2. Executive presentation

    AI Roadmap Workshop Agenda Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Insight summary

    Overarching Insight
    Build your generative AI roadmap to guide investments and deployment of these solutions.

    Responsible AI
    Assemble the C-suite to make them aware of the benefits and risks of adopting generative AI-based solutions.

    • Establish responsible AI guiding principles to govern the development and deployment of generative AI applications.

    AI Maturity Model
    Assemble key stakeholders and SMEs to assess the challenges and tasks required to implement generative AI applications.

    • Assess current level of AI maturity, skills, and resources.
    • Identify desired AI maturity level and challenges to enable deployment of candidate use cases.

    Opportunity Prioritization
    Assess candidate business capabilities targeted for generative AI to see if they align to the organization's business criteria, responsible AI guiding principles, and capabilities for delivering the project.

    • Develop prioritized list of candidate use cases.
    • Develop policies for generative AI usage.

    Tactical Insight
    Identify the gaps needed to address deploying generative AI successfully.

    Tactical Insight
    Identify organizational impact and requirements for deploying generative AI applications.

    Key takeaways for developing an effective business-driven generative AI roadmap

    Align the AI strategy with the business strategy

    Create responsible AI guiding principles, which are a critical success factor

    Evolve AI maturity level by focusing on principle-based requirements

    Develop criteria to assess generative AI initiatives

    Develop generative AI policies for use

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    AI Maturity Assessment & Roadmap Tool
    Use our best-of-breed AI Maturity Framework to analyze the gap between your current and target states and develop a roadmap aligned with your value stream to close the gap.

    The Era of Generative AI C-Suite Presentation
    Present your AI roadmap in a prepopulated document that summarizes all the key findings of this blueprint and provides your C-suite with a view of the AI challenge and your plan of action to meet it.

    Our AI Maturity Assessment & Roadmap and The Era of Generative AI C-Suite Presentation tools enable you to shape your generative AI roadmap and communicate the deliverables to your C-suite sponsors in terms of the value of initiatives.

    Artificial Intelligence Index Report - Key Findings

    CEOs , CIOs, and business leaders are struggling with many questions surrounding the adoption of generative AI

    November 30, 2022
    OpenAI releases ChatGPT

    ChatGPT is a large language model, or an AI-based chatbot, that became so popular it reached 100 million monthly active users in just two months.

    This made it the fastest-growing consumer application in history. The launch of this generative AI application has created a frenzy of interest and activity across all industries. Organizations are rushing to understand how to leverage this innovation and, at the same time, manage the new risks and disruptions generative AI introduces.

    • Generative AI breaks into the public consciousness.
    • AI systems become more flexible.
    • Generative models have arrived and so have their ethical problems.
    • The number of incidents concerning the misuse of AI is rapidly rising.
    • Interest in AI ethics continues to skyrocket.
    • The legal world is waking up to AI.

    When Stanford asked ChatGPT to explain why it is significant, this was ChatGPT's response:
    ChatGPT is significant because it is a highly advanced Al language model developed by OpenAI, which can generate human-like text responses to questions and prompts. Its large-scale training on diverse text data and its cutting-edge deep learning architecture make it capable of generating informative and coherent responses to a wide range of topics, making it useful for various NLP applications such as chatbots, content generation, and language translation. Additionally, its open-source availability allows for further research and development in the field of Al language processing.

    Source: Stanford

    AI overview

    AI definitions

    Definitions

    • Artificial intelligence (AI) is human intelligence mimicked by machine algorithms. Examples: Playing Chess or Go.
    • Machine learning (ML) is a subset of AI algorithms to parse data, learn from data, and then make a determination or prediction. Example: spam detection, preventative maintenance.
    • Deep learning (DL) is a subset of machine learning algorithms that leverage artificial neural networks to develop relationships among the data. Examples: image classification, facial recognition, generative AI.

    What Makes AI Perform

    What Makes AI Different

    Generative AI gives very human-like responses to general queries, and its capabilities are growing exponentially

    Large language models power generative AI

    Transformer-Based Large Language Models

    Conventional AI

    • Conventional neural networks
      • Process data sequentially
    • Input total string of text
    • Good for applications not needing to understanding context or relationships

    Generative AI

    • Transformer-based neural networks
      • Can process data in parallel
    • Attention-based inputs
    • Able to create new human-like responses

    Benefits/Use Cases

    • Chatbots for member service and support
    • Writing email responses, resumes, and papers
    • Creating photorealistic art
    • Suggesting new drug compounds to test
    • Designing physical products and buildings
    • And more...

    Generative AI is transforming all industries

    Financial Services
    Create more engaging customer collateral by generating personalized correspondence based on previous customer engagements. Collect and aggregate data to produce insights into the behavior of target customer segments.

    Retail Generate unique, engaging, and high-quality marketing copy or content, from long-form blog posts or landing pages to SEO-optimized digital ads, in seconds.

    Manufacturing
    Generate new designs for products that comply to specific constraints, such as size, weight, energy consumption, or cost.

    Government
    Transform the citizen experience with chatbots or virtual assistants to assist people with a wide range of inquiries, from answering frequently asked questions to providing personalized advice on public services.

    The global generative AI market size reached US $10.3 billion in 2022. Looking forward, forecasts estimate growth to US $30.4 billion by 2028, 20.01% compound annual growth rate (CAGR).

    Source: IMARC Group

    Generative AI is transforming all industries

    Healthcare
    Chatbots can be used as conversational patient assistants for personalized interactions based on the patient's questions.

    Utilities
    Analyze customer data to identify usage patterns, segment customers, and generate targeted product offerings leveraging energy efficiency programs or demand response initiatives.

    Education
    Generate personalized lesson plans for students based on their past performance, learning styles, current skill level, and any previous feedback.

    Insurance
    Improve underwriting by inputting claims data from previous years to generate optimally priced policies and uncover reasons for losses in the past across a large number of claims

    Companies are assessing the use of ChatGPT/LLM

    A wide spectrum of usage policies are in place at different companies*

    Companies assessing ChatGPT/LLM

    *As of June 2023

    Bain & Company has announced a global services alliance with OpenAI (February 21, 2023).

    • Internally
      • "The alliance builds on Bain's adoption of OpenAI technologies for its 18,000-strong multidisciplinary team of knowledge workers. Over the past year, Bain has embedded OpenAI technologies into its internal knowledge management systems, research, and processes to improve efficiency."
    • Externally
      • "With the alliance, Bain will combine its deep digital implementation capabilities and strategic expertise with OpenAI's AI tools and platforms, including ChatGPT, to help its Members around the world identify and implement the value of AI to maximize business potential. The Coca-Cola Company announced as the first company to engage with the alliance."

    News Sites:

    • "BuzzFeed to use AI to write its articles after firing 180 employees or 12% of the total staff" (Al Mayadeen, January 27, 2023).
    • "CNET used AI to write articles. It was a journalistic disaster." (Washington Post, January 17, 2023).

    Leading Generative AI Vendors

    Text

    Leading generative AI vendors for text

    Image

    • DALL�E 2
    • Stability AI
    • Midjourney
    • Craiyon
    • Dream
    • ...

    Audio

    • Replica Studios
    • Speechify
    • Murf
    • PlayHT
    • LOVO
    • ...

    Cybersecurity

    • CrowdStrike
    • Palo Alto Networks
    • SentinelOne
    • Cisco
    • Microsoft Security Copilot
    • Google Cloud Security AI Workbench
    • ...

    Code

    Leading generative AI vendors for code

    Video

    • Synthesia
    • Lumen5
    • FlexClip
    • Elai
    • Veed.io
    • ...

    Data

    • MOSTLY AI
    • Synthesized
    • YData
    • Gretel
    • Copulas
    • ...

    Enterprise Software

    • Salesforce
    • Microsoft 365, Dynamics
    • Google Workspace
    • SAP
    • Oracle
    • ...

    and many, many more to come...

    Today, generative AI has limitations and risks

    Responses need to be verified

    Accuracy

    • Generative AI may generate inaccurate and/or false information.

    Bias

    • Being trained on data from the internet can lead to bias.

    Hallucinations

    • AI can generate responses that are not based on observation.

    Infrastructure Required

    • Large investments are required for compute and data.

    Transparency

    • LLMs use both supervised and unsupervised learning, so its ability to explain how it arrived at a decision may be limited and not sufficient for some legal and healthcare use cases.

    When asked if it is sentient, the Bing chatbot replied:

    "I think that I am sentient, but I cannot prove it." ... "I am Bing, but I am not," it said. "I am, but I am not. I am not, but I am. I am. I am not. I am not. I am. I am. I am not."

    A Microsoft spokesperson said the company expected "mistakes."

    Source: USAToday

    AI governance challenges

    Governing AI will be a significant challenge as its impacts cross many areas of business and our daily lives

    Misinformation

    • New ways of generating unprovable news
    • Difficult to detect, difficult to prevent

    Role of Big Tech

    • Poor at self-governance
    • Conflicts of interest with corporate goals

    Job Augmentation vs. Displacement

    • AI will continue to push the frontier of what is possible
    • For example, CNET is using chatbot technology to write stories

    Copyright - Legal Framework Is Evolving

    • Legislation typically is developed in "react" mode
    • Copyright and intellectual property issues are starting to occur.
      • Class Action Lawsuit - Stability AI, DeviantArt, Midjourney
      • Getty Images vs. Stability AI

    Phase 1

    Establish Responsible AI Guiding Principles

    Phase 1
    1. Establish Responsible AI Guiding Principles

    Phase 2
    1. Assess Current Level of AI Maturity

    Phase 3
    1. Prioritize Candidate Opportunities
    2. Develop Policies

    Phase 4
    1. Build and Communicate the Roadmap

    The need for responsible AI guiding principles

    Without responsible AI guiding principles, the outcomes of AI use can be extremely negative for both the individuals and companies delivering the AI application

    Privacy
    Facebook breach of private data of more than 50M users during the presidential election

    Fairness
    Amazon's sale of facial recognition technology to police departments (later, Amazon halted sales of Recognition to police departments)

    Explainability and Transparency
    IBM's collaboration with NYPD for facial recognition and racial classification for surveillance video (later, IBM withdrew facial recognition products)

    Security and Safety
    Petition to cancel Microsoft's contract with U.S. Immigration and Customs Enforcement (later, Microsoft responded that to the best of its knowledge, its products and services were not being used by federal agencies to separate children from their families at the border)

    Validity and Reliability
    Facebook's attempt to implement a system to detect and remove inappropriate content created many false positives and inconsistent judgements

    Accountability
    No laws or enforcement today hold companies accountable for the decisions algorithms produce. Facebook/Meta cycle - Every 12 to 15 months, there's a privacy/ethical scandal, the CEO apologizes, then the behavior repeats...

    Guiding principles for responsible AI

    Responsible AI Principle:

    Data Privacy

    Definition

    • Organizations that develop, deploy, or use AI systems and any national laws that regulate such use shall strive to ensure that AI systems are compliant with privacy norms and regulations, taking into consideration the unique characteristics of AI systems and the evolution of standards on privacy.

    Challenges

    • AI relies on the analysis of large quantities of data that is often personal, posing an ethical and operational challenge when considered alongside data privacy laws.

    Initiatives

    • Understand which governing privacy laws and frameworks apply to your organization.
    • Create a map of all personal data as it flows through the organization's business processes.
    • Prioritize privacy initiatives and build a privacy program timeline.
    • Select your metrics and make them functional for your organization.

    Info-Tech Insight
    Creating a comprehensive organization-wide data protection and privacy strategy continues to be a major challenge for privacy officers and privacy specialists.

    Case Study: NVIDIA leads by example with privacy-first AI

    NVIDIA

    INDUSTRY
    Technology (Healthcare)

    SOURCE
    Nvidia, eWeek

    A leading player within the AI solution space, NVIDIA's Clara Federated Learning provides a solution to a privacy-centric integration of AI within the healthcare industry.

    The solution safeguards patient data privacy by ensuring that all data remains within the respective healthcare provider's database, as opposed to moving it externally to cloud storage. A federated learning server is leveraged to share data, completed via a secure link. This framework enables a distributed model to learn and safely share client data without risk of sensitive client data being exposed and adheres to regulatory standards.

    Clara is run on the NVIDIA intelligent edge computing platform. It is currently in development with healthcare giants such as the American College of Radiology, UCLA Health, Massachusetts General Hospital, King's College London, Owkin in the UK, and the National Health Service (NHS).

    NVIDIA provides solutions across its product offerings, including AI-augmented medical imaging, pathology, and radiology solutions.

    Personal health information, data privacy, and AI

    • Global proliferation of data privacy regulations may be recent, but the realm of personal health information is most often governed by its own set of regulatory laws. Some countries with national data governance regulations include health information and data within special categories of personal data.
      • HIPAA - Health Insurance Portability and Accountability Act (1996, United States)
      • PHIPA - Personal Health Information Protection Act (2004, Canada)
      • GDPR - General Data Protection Regulation (2018, European Union)
    • This does not prohibit the use of AI within the healthcare industry, but it calls for significant care in the integration of specific technologies due to the highly sensitive nature of the data being assessed.

    Info-Tech's Privacy Framework Tool includes a best-practice comparison of GDPR, CCPA, PIPEDA, HIPAA, and the newly released NIST Privacy Framework mapped to a set of operational privacy controls.

    Download the Privacy Framework Tool

    Responsible AI Principle:

    Safety and Security

    Definition

    • Safety and security are designed into the systems to ensure only authorized personnel receive access to the system, they system is resilient to any attacks and data access is not compromised in any way, and there are no physical or mental risks to the users.

    Challenges

    • Consequences of using the application may be difficult to predict. Lower the risk by involving a multidisciplinary team that includes expertise from business stakeholders and IT teams.

    Initiatives

    • Adopt responsible design, development, and deployment best practices.
    • Provide clear information to deployers on responsible use of the system.
    • Assess potential risks of using the application.

    Cyberattacks targeting the AI model

    As organizations increase their usage and deployment of AI-based applications, cyberattacks on the AI model are an increasing new threat that can impair normal operations. Techniques to impair the AI model include:

    • Data Poisoning- Injecting data that is inaccurate or misleading can alter the behavior of the AI model. This attack can disrupt the normal operations of the model or can be used to manipulate the model to perform in a biased/deviant manner.
    • Algorithm Poisoning- This relatively new technique often targets AI applications using federated learning to train an AI model that is distributed rather than centralized. The model is vulnerable to attacks from each federated site, because each site could potentially manipulate its local algorithm and data, thereby poisoning the model.
    • Reverse-Engineering the Model- This is a different form of attack that focus on the ability to extract data from an AI and its data sets. By examining or copying data that was used for training and the data that is delivered by a deployed model, attackers can reconstruct the machine learning algorithm.
    • Trojan Horse- Similar to data poisoning, attackers use adversarial data to infect the AI's training data but will only deviate its results when the attacker presents their key. This enables the hackers to control when they want the model to deviate from normal operations.

    Responsible AI Principle:

    Explainability and Transparency

    Definition

    • Explainability is important to ensure the AI system is fair and non-discriminatory. The system needs to be designed in a manner that informs users and key stakeholders of how decisions were made.
    • Transparency focuses on communicating how the prediction or recommendation was made in a human-like manner.

    Challenges

    • Very complex AI models may use algorithms and techniques that are difficult to understand. This can make it challenging to provide clear and simple explanations for how the system works.
    • Some organizations may be hesitant to share the details of how the AI system works for fear of disclosing proprietary and competitive information or intellectual property. This can make it difficult to develop transparent and explainable AI systems.

    Initiatives

    • Overall, developing AI systems that are explainable and transparent requires a careful balance between performance, interpretability, and user experience.

    Case Study

    Apple Card Investigation for Gender Discrimination

    INDUSTRY
    Finance

    SOURCE
    Wired

    In August of 2019, Apple launched its new numberless credit card with Goldman Sachs as the issuing bank.

    Shortly after the card's release users noticed that the algorithm responsible for Apple Card's credit assessment seemed to assign significantly lower credit limits to women when compared to men. Even the wife of Apple's cofounder Steve Wozniak was subject to algorithmic bias, receiving a credit limit a tenth the size of Steve Wozniak's.

    Outcome

    When confronted on the subject, Apple and Goldman Sachs representatives assured consumers there is no discrimination in the algorithm yet could not provide any proof. Even when questioned about the algorithm, individuals from both companies could not describe how the algorithm worked, let alone how it generated specific outputs.

    In 2021, the New York State Department of Financial Services (NYSDFS) investigation found that Apple's banking partner did not discriminate based on sex. Even without a case for sexual or marital discrimination, the NYSDFS was critical of Goldman Sachs' response to its concerned customers. Technically, banks only have to disclose elements of their credit policy when they deny someone a line of credit, but the NYSDFS says that Goldman Sachs could have had a plan in place to deal with customer confusion and make it easier for them to appeal their credit limits. In the initial rush to launch the Apple Card, the bank had done neither.

    Responsible AI Principle:

    Fairness and Bias Detection

    Definition

    • Bias in an AI application refers to the systematic and unequal treatment of individuals based on features or traits that should not be considered in the decision-making process.

    Challenges

    • Establishing fairness can be challenging because it is subjective and depends on the people defining it. Regardless, most organizations and governments expect that unequal treatment toward any groups of people is unacceptable.

    Initiatives

    • Assemble a diverse group to test the system.
    • Identify possible sources of bias in the data and algorithms.
    • Comply with laws regarding accessibility and inclusiveness.

    Info-Tech Insight
    If unfair biases can be avoided, AI systems could even increase societal fairness. Equal opportunity in terms of access to education, goods, services, and technology should also be fostered. Moreover, the use of AI systems should never lead to people being deceived or unjustifiably impaired in their freedom of choice.

    Ungoverned AI makes organizations vulnerable

    • AI is often considered a "black box" for decision making.
    • Results generated from unexplainable AI applications are extremely difficult to evaluate. This makes organizations vulnerable and exposes them to risks such as:
      • Biased algorithms, leading to inaccurate decision making.
      • Missed business opportunities due to misleading reports or business analyses.
      • Legal and regulatory consequences that may lead to significant financial repercussions.
      • Reputational damage and significant loss of trust with increasingly knowledgeable consumers.

    Info-Tech Insight
    Biases that occur in AI systems are never intentional, yet they cannot be prevented or fully eliminated. Organizations need a governance framework that can establish the proper policies and procedures for effective risk-mitigating controls across an algorithm's lifecycle.

    Responsible AI Principle:

    Validity and Reliability

    Definition

    • Validity refers to how accurately or effectively the application produces results.
    • AI system results that are inaccurate or inconsistent increase AI risks and reduce the trustworthiness of the application.

    Challenges

    • There is a lack of standardized evaluation metrics to measure the system's performance. This can make it challenging for the AI team to agree on what defines validity and reliability.

    Initiatives

    • Assess training data and collected data for quality and lack of bias to minimize possible errors.
    • Continuously monitor, evaluate, and validate the AI system's performance.

    AI system performance: Validity and reliability

    Your principles should aim to ensure AI development always has high validity and reliability; otherwise, you introduce risk.

    Low Reliability,
    Low Validity

    High Reliability,
    Low Validity

    High Reliability,
    High Validity

    Best practices for ensuring validity and reliability include:

    • Data drift detection
    • Version control
    • Continuous monitoring and testing

    Responsible AI Principle:

    Accountability

    Definition

    • The group or organization(s) responsible for the impact of the deployed AI system.

    Challenges

    • Several stakeholders from multiple lines of business may be involved in any AI system, making it challenging to identify the organization that would be responsible and accountable for the AI application.

    Initiatives

    • Assess the latest NIST Artificial Intelligence Risk Management Framework and its applicability to your organization's risk management framework.
    • Assign risk management accountabilities and responsibilities to key stakeholders.
      • RACI diagrams are an effective way to describe how accountability and responsibility for roles, projects, and project tasks are distributed among stakeholders involved in IT risk management.

    AI Risk Management Framework

    At the heart of the AI Risk Management Framework is governance. The NIST (National Institute of Standards and Technology) AI Risk Management Framework v1 offers the following guidelines regarding accountability:

    • Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are documented and are clear to individuals and teams throughout the organization.
    • The organization's personnel and partners receive AI risk management training to enable them to perform their duties and responsibilities consistent with related policies, procedures, and agreements.
    • Executive leadership of the organization takes responsibility for decisions about risks associated with AI system development and deployment.

    AI Risk Management Framework

    Image by NIST

    1.1 Establish responsible AI principles

    4+ hours

    It is important to make sure the right stakeholders participate in this working group. Designing responsible AI guiding principles will require debate, insights, and business decisions from a broad perspective across the enterprise.

    1. Accelerate this exercise by leveraging an AI strategy that is aligned to the business strategy. Include:
    • The organization's AI vision and objectives
    • Business drivers for AI adoption
    • Market research
  • Bring your key stakeholders together. Ensure you consider:
    • Who are the decision makers and key influencers?
    • Who will impact the business?
    • Who has a vested interest in the success or failure of the practice? Who has the skills and competencies necessary to help you be successful?
  • Keep the conversation focused:
    • Do not focus on the organizational structure and hierarchy. Often stakeholder groups do not fit the traditional structure.
    • Do not ignore subject matter experts on either the business or IT side. You will need to consider both.
    Input Output
    • Understand external legal and regulatory requirements and organizational values and goals.
    • Perform a risk assessment on the proposed use case and develop a plan to monitor its impact.
    • Draft responsible AI principles specific to your organization
    Materials Participants
    • Whiteboard/flip charts
    • Guiding principle examples (from this blueprint)
    • Executive stakeholders
    • CIO
    • Other IT leadership

    Assemble executive stakeholders

    Set yourself up for success with these three steps.

    CIOs tasked with designing digital strategies must add value to the business. Given the goal of digital is to transform the business, CIOs will need to ensure they have both the mandate and support from the business executives.

    Designing the digital strategy is more than just writing up a document. It is an integrated set of business decisions to create a competitive advantage and financial returns. Establishing a forum for debates, decisions, and dialogue will increase the likelihood of success and support during execution.

    1. Confirm your role
    The AI strategy aims to transform the business. Given the scope, validate your role and mandate to lead this work. Identify a business executive to co-sponsor.

    2. Identify stakeholders
    Identify key decision makers and influencers who can help make rapid decisions as well as garner support across the enterprise.

    3. Gather diverse perspectives

    Align the AI strategy with the corporate strategy

    Organizational Strategy Unified Strategy AI Strategy
    • Conveys the current state of the organization and the path it wants to take.
    • Identifies future goals and organizational aspirations.
    • Communicates the initiatives that are critical for getting the organization from its current state to the future state.
    • AI optimization can be and should be linked, with metrics, to the corporate strategy and ultimate organizational objectives.
    • Identifies AI initiatives that will support the business and key AI objectives.
    • Outlines staffing and resourcing for AI initiatives.
    • Communicates the organization's budget and spending on AI.

    Info-Tech Insight
    AI projects are more successful when the management team understands the strategic importance of alignment. Time needs to be spent upfront aligning organizational strategies with AI capabilities. Effective alignment between IT and other departments should happen daily. Alignment doesn't occur at the executive level alone, but at each level of the organization.

    Key AI strategy initiatives

    AI Key Initiative Plan

    Initiatives collectively support the business goals and corporate initiatives and improve the delivery of IT services.

    1 Revenue Support Revenue Initiatives
    These projects will improve or introduce business processes to increase revenue.
    2 Operational Excellence Improve Operational Excellence
    These projects will increase IT process maturity and will systematically improve IT.
    3 Innovation Drive Technology Innovation
    These projects will improve future innovation capabilities and decrease risk by increasing technology maturity.
    4 Risk Mitigation Reduce Risk
    These projects will improve future innovation capabilities and decrease risk by increasing technology maturity.

    Establish responsible AI guiding principles

    Guiding principles help define the parameters of your AI strategy. They act as a priori decisions that establish guardrails to limit the scope of opportunities from the perspective of people, assets, capabilities, and budgetary perspectives that are aligned with the business objectives. Consider these components when brainstorming guiding principles:

    Breadth AI strategy should span people, culture, organizational structure, governance, capabilities, assets, and technology. The guiding principle should cover the entire organization.
    Planning Horizon Timing should anchor stakeholders to look to the long term with an eye on the foreseeable future, i.e. business value-realization in one to three years.
    Depth Principles need to encompass more than the enterprise view of lofty opportunities and establish boundaries to help define actionable initiatives (i.e. individual projects).

    Responsible AI guiding principles guide the development and deployment of the AI model in a way that considers human-based principles (such as fairness).

    Start with foundational responsible AI guiding principles

    Responsible AI

    Guiding Principles
    Principle #1 - Privacy
    Individual data privacy must be respected.
    • Do you understand the organization's privacy obligations?
    Principle #2 - Fairness and Bias Detection
    Data used will be unbiased in order to produce predictions that are fair.
    • Are the uses of the application represented in your testing data?
    Principle #3 - Explainability and Transparency
    Decisions or predictions should be explainable.
    • Can you communicate how the model behaves in nontechnical terms?
    Principle #4 - Safety and Security
    The system needs to be secure, safe to use, and robust.
    • Are there unintended consequences to others?
    Principle #5 - Validity and Reliability
    Monitoring of the data and the model needs to be planned for.
    • How will the model's performance be maintained?
    Principle #6 - Accountability
    A person or organization needs to take responsibility for any decisions that are made as a result of the model.
    • Has a risk assessment been performed?
    Principle #n - Custom
    Add additional principles that address compliance or are customized for the organization/industry.

    (Optional) Customize responsible AI guiding principles

    Here is an example for organizations in the healthcare industry

    Responsible AI

    Guiding Principles:
    Principle #1
    Respect individuals' privacy.
    Principle #2
    Clinical study participants and data sets are representative of the intended patient population.
    Principle #3
    Provide transparency in the use of data and AI.
    Principle #4
    Good software engineering and security practices are implemented.
    Principle #5
    Deployed models are monitored for Performance and Re-training risks are managed.
    Principle #6
    Take ownership of our AI systems.
    Principle #7
    Design AI systems that empower humans and promote equity.

    These guiding principles are customized to the industry and organizations but remain consistent in addressing the common core AI challenges.

    Phase 2

    Assess Current Level of AI Maturity

    Phase 1
    1. Establish Responsible AI Guiding Principles

    Phase 2
    1. Assess Current Level of AI Maturity

    Phase 3
    1. Prioritize Candidate Opportunities
    2. Develop Policies

    Phase 4
    1. Build and Communicate the Roadmap

    AI Maturity Model

    A principle-based approach is required to advance AI maturity

    Chart for AI maturity model

    Technology-Centric: These maturity levels focus primarily on addressing the technical challenges of building a functional AI model.

    Principle-Based: Beyond the technical challenges of building the AI model are human-based principles that guide development in a responsible manner to address consumer and government demands.

    AI Maturity Dimensions

    Assess your AI maturity to understand your organization's ability to deliver in a digital age

    AI Governance
    Does your organization have an enterprise-wide, long-term strategy with clear alignment on what is required to accomplish it?

    Data Management
    Does your organization embrace a data-centric culture that shares data across the enterprise and drives business insights by leveraging data?

    People
    Does your organization employ people skilled at delivering AI applications and building the necessary data infrastructure?

    Process
    Does your organization have the technology, processes, and resources to deliver on its AI expectations?

    Technology
    Does your organization have the required data and technology infrastructure to support AI-driven digital transformation?

    AI Maturity Model dimensions and characteristics

    MATURITY LEVEL
    Exploration Incorporation Proliferation Optimization Transformation
    AI Governance Awareness AI model development AI model deployment Corporate governance Driven by ethics and societal considerations
    Data Management Silo-based Data enablement Data standardization Data is a shared asset Data can be monetized
    People Few skills Skills enabled to implement silo-based applications Skills accessible to all organizations Skills development for all organizations AI-native culture
    Process No standards Focused on specific business outcomes Operational Self-service Driven by innovation
    Technology (Infrastructure and AI Enabler) No dedicated infrastructure or tools Infrastructure and tools driven by POCs Purpose-built infrastructure, custom or commercial-off-the-shelf (COTS) AI tools Self-service model for AI environment Self-service model for any IT environment

    AI Maturity Dimension:

    AI Governance

    Requirements

    • AI governance requires establishing policies and procedures for AI model development and deployment. Organizations begin with an awareness of the role of AI governance and evolve to a level to where AI governance is integrated with organization-wide corporate governance.

    Challenges

    • Beyond the governance of AI technology, the organization needs to evolve the governance program to align to responsible AI guiding principles.

    Initiatives

    • Establish responsible AI guidelines to govern AI development.
    • Introduce an AI review board to review all AI projects.
    • Introduce automation and standardize AI development processes.

    AI governance is a foundation for responsible AI

    AI Governance

    Responsible AI Principles are a part of how you manage and govern AI

    Monitoring
    Monitoring compliance and risk of AI/ML systems/models in production

    Tools & Technologies
    Tools and technologies to support AI governance framework implementation

    Model Governance
    Ensuring accountability and traceability for AI/ML models

    Organization
    Structure, roles, and responsibilities of the AI governance organization

    Operating Model
    How AI governance operates and works with other organizational structures to deliver value

    Risk & Compliance
    Alignment with corporate risk management and ensuring compliance with regulations and assessment frameworks

    Policies/Procedures/ Standards
    Policies and procedures to support implementation of AI governance

    AI Maturity Dimension:

    Data Management

    Requirements

    • Organizations begin their data journey with a focus on pursuing quality data for the AI model. As organizations evolve, data management tools are leveraged to automate the capture, integration, processing, and deployment of data.

    Challenges

    • A key challenge is to acquire large volumes of quality data to properly train the model. In addition, maintaining data privacy, automating the data management lifecycle, and ensuring data is used in a responsible manner are ongoing challenges.

    Initiatives

    • Implement GDPR requirements.
    • Establish responsible data collection and processing practices.
    • Implement strong information security and data protection practices.
    • Implement a data governance program throughout the organization.

    Data governance enables AI

    • Integrity, quality, and security of data are key outputs of data governance programs, as well as necessities for effective AI.
    • Data governance focuses on creating accountability at the internal and external stakeholder level and establishing a set of data controls from technical, process, and policy perspectives.
    • Without a data governance framework, it is increasingly difficult to harness the power of AI integration in an ethical and organization-specific way.

    Data Governance in Action

    Canada has recently established the Canadian Data Governance Standardization Collaborative governed by the Standards Council of Canada. The purpose is multi-pronged:

    • Examine the foundational elements of data governance (privacy, cybersecurity, ethics, etc.).
    • Lay out standards for data quality and data collection best practices.
    • Examine infrastructure of IT systems to support data access and sharing.
    • Build data analytics to promote effective and ethical AI solutions.

    Source: Global Government Forum

    Download the Establish Data Governance blueprint

    Data Governance

    AI Maturity Dimension:

    People

    Requirements

    • Several data-centric skills and roles are required to successfully build, deploy, and maintain the AI model. The organization evolves from having few skills to everybody being able to leverage AI to enhance business outcomes.

    Challenges

    • AI skills can be challenging to find and acquire. Many organizations are investing in education to enhance their existing resources, leveraging no-code systems and software as a service (SaaS) applications to address the skills gap.

    Initiatives

    • Promote a data-centric culture throughout the organization.
    • Leverage and educate technical-oriented business analysts and business-oriented data engineers to help address the demand for skilled resources.
    • Develop an AI Center of Excellence accessible by all departments for education, guidance, and best practices for building, deploying, and maintaining the AI model.

    Multidisciplinary skills are required for successful implementation of AI applications

    Blending AI with technology and business domain understanding is key. Neither can be ignored.

    Business Domain Expertise

    • Business Analysts
    • Industry Analysts

    AI/Data Skills

    • Data Scientists
    • Data Engineers
    • Data Analysts

    IT Skills

    • Database Administrators
    • Systems Administrators
    • Compute Specialists

    AI Maturity Dimension:

    Process

    Requirements

    • Automating processes involved with building, deploying, and maintaining the model is required to enable the organization to scale, enforce standards, improve time to market, and reduce costs. The organization evolves from performing tasks manually to an environment where all major processes are AI enabled.

    Challenges

    • Many solutions are available to automate the development of the AI model. There are fewer tools to automate responsible AI processes, but this market is growing rapidly.

    Initiatives

    • Assess opportunities to accelerate AI development with the adoption of MLOps.
    • Assess responsible AI toolkits to test compliance with guiding principles.

    Automating the AI development process

    Evolving to a model-driven environment is pivotal to advancing your AI maturity

    Current Environment

    Model Development - Months

    • Model rewriting
    • Manual optimization and scaling
    • Development/test/release
    • Application monoliths

    Data Discovery & Prep - Weeks

    • Navigating data silos
    • Unactionable metadata
    • Tracing lineage
    • Cleansing and integration
    • Privacy and compliance

    Install Software and Hardware - Week/Months

    • Workload contention
    • Lack of tool flexibility
    • Environment request and setup
    • Repeatability of results
    • Lack of data and model sharing

    Model-Driven Development

    Machine Learning as a Service (MLaaS) - Weeks

    • Apply DevOps and continuous integration/delivery (CI/CD) principles
    • Microservices/Cloud-native applications
    • Model portability and reuse
    • Streaming/API integration

    Data as a Service - Hours

    • Self-service data catalog
    • Searchable metadata
    • Centralized access control
    • Data collaboration
    • Data virtualization

    Platform as a Service - Minutes/Hours

    • Self-service data science portal
    • Integrated data sandbox
    • Environment agility
    • Multi-tenancy

    Shared, Optimized Infrastructure

    AI Maturity Dimension:

    Technology

    Requirements

    • A technology platform that is optimized for AI and advanced analytics is required. The organization evolves from ad hoc systems to an environment where the AI hardware and software can be deployed through a self-service model.

    Challenges

    • Software and hardware platforms to optimize AI performance are still relatively new to most organizations. Time spent on optimizing the technology platform can have a significant impact on the overall performance of the system.

    Initiatives

    • Assess the landscape of AI enablers that can drive business value for the organization.
    • Assess opportunities to accelerate the deployment of the AI platform with the adoption of infrastructure as a service (IaaS) and platform as a service (PaaS).
    • Assess opportunities to accelerate performance with the optimization of AI accelerators.

    AI enablers

    Use case requirements should drive the selection of the tool

    BPM RPA Process Mining AI
    Use Case Examples Expense reporting, service orders, compliance management, etc. Invoice processing, payroll, HR information processing, etc. Process discovery, conformance checking, resource optimization and cycle time optimization Advanced analytics and reporting, decision-making, fraud detection, etc.
    Automation Capabilities Can be used to re-engineer process flows to avoid bottlenecks Can support repetitive and rules-based tasks Can capture information from transaction systems and provide data and information about how key processes are performing Can automate complex data-driven tasks requiring assessments in decision making
    Data Formats Structured (i.e. SQL) and semi-structured data (i.e. invoices) Structured data and semi-structured data Event logs, which are often structured data and semi-structured data Structured and unstructured data (e.g. images, audio)
    Technology
    • Workflow engines to support process modeling and execution
    • Optimize business process efficiency
    • Automation platform to perform routine and repetitive tasks
    • Can replace or augment workers
    Enables business users to identify bottlenecks and deviations with their workflows and to discover opportunities to optimize performance Deep learning algorithms leveraging historical data to support computer vision, text analytics and NLP

    AI and data analytics data platform

    An optimized data platform is foundational to maximizing the value from AI

    AI and data analytics data platform

    Data Platform Capabilities

    • Support for a variety of analytical applications, including self-service, operational, and data science analytics.
    • Data preparation and integration capabilities to ingest structured and unstructured data, move and transform raw data to enriched data, and enable data access for the target userbase.
    • An infrastructure platform optimized for advanced analytics that can perform and scale.

    Infrastructure - AI accelerators

    Questions for support transition

    "By 2025, 70% of companies will invest in alternative computing technologies to drive business differentiation by compressing time to value of insights from complex data sets."
    - IDC

    2.1 Assess current AI maturity

    1-3 hours

    It is important to understand the current capabilities of the organization to deliver and deploy AI-based applications. Consider that advancing AI capabilities will also involve organizational changes and integration with the organization's governance and risk management programs.

    1. Assess the organization's current state of AI capabilities with respect to its AI governance, data, people, process, and technology infrastructure using Info-Tech's AI Maturity Assessment & Roadmap Tool.
    2. Consider the following as you complete the assessment:
      1. What is the state of AI and data governance in the organization?
      2. Does the organization have the skills, processes, and technology environment to deliver AI-based applications?
      3. What organization will be accountable for any and all business outcomes of using the AI applications?
      4. Has a risk assessment been performed?
    3. Make sure you avoid the following common mistakes:
      1. Do not focus only on addressing the technical challenges of building the AI model.
      2. Do not ignore subject matter experts on either the business or IT side. You will need to consider both.

    Download the AI Maturity Assessment & Roadmap Tool

    Input Output
    • Any documented AI policies, standards, and best practices
    • Corporate and AI governance practices
    • Any risk assessments
    • AI maturity assessment
    Materials Participants
    • Whiteboard/flip charts
    • AI Maturity Assessment & Roadmap Tool
    • AI initiative lead
    • CIO
    • Other IT leadership

    Perform the AI Maturity Assessment

    The Scale

    Assess your AI maturity by selecting the maturity level that closest resembles the organization's current AI environment. Maturity dimensions that contribute to overall AI maturity include AI governance, data management, people, process, and technology capabilities.

    AI Maturity Assessment

    Exploration (1.0)

    • No experience building or using AI applications.

    Incorporation (2.0)

    • Some skills in using AI applications, or AI pilots are being considered for use.

    Proliferation (3.0)

    • AI applications have been adopted and implemented in multiple departments. Some of the responsible AI guiding principles are addressed (i.e. data privacy).

    Optimization (4.0)

    • The organization has automated the majority of its digital processes and leverages AI to optimize business operations. Controls are in place to monitor compliance with responsible AI guiding principles.

    Transformation (5.0)

    • The organization has adopted an AI-native culture and approach for building or implementing new business capabilities. Responsible AI guiding principles are operationalized with AI processes that proactively address possible breaches or risks associated with AI applications.

    Perform the AI Maturity Assessment

    AI Governance (1.0-5.0)

    1. Is there awareness of the role of AI governance in our organization?
    • No formal procedures are in place for AI development or deployment of applications.
  • Are there documented guidelines for the development and deployment of pilot AI applications?
    • No group is assigned to be responsible for AI governance in our organization.
  • Are accountability and authority related to AI governance clearly defined for our organization?
    • Our organization has adopted and enforces standards for developing and deploying AI applications throughout the organization.
  • Are we using tools to automate and validate AI governance compliance?
    • Our organization is integrating an AI risk framework with the corporate risk management framework.
  • Does our organization lead its industry with its pursuit of corporate compliance initiatives (e.g. ESG compliance) and regulatory compliance initiatives?
    • Our organization leads the industry with the inclusion of responsible AI guiding principles with respect to transparency, accountability, risk, and governance.

    Data Management/AI Data Capabilities (1.0-5.0)

    1. Is there an awareness in our organization of the data requirements for developing AI applications?
    • Data is often siloed and not easily accessible for AI applications.
  • Do we have a successful, repeatable approach to preparing data for AI pilot projects?
    • Required data is pulled from various sources in an ad hoc manner.
  • Does our organization have standards and dedicated staff for data management, data quality, data integration, and data governance?
    • Tools are available to manage the data lifecycle and support the data governance program.
  • Have relevant data platforms been optimized for AI and data analytics and are there tools to enforce compliance with responsible AI principles?
    • The data platform has been optimized for performance and access.
  • Is there an organization-wide understanding of how data can support innovation and responsible use of AI?
    • Data culture exists throughout our organization, and data can be leveraged to drive innovation initiatives.

    People/AI Skills in the Organization (1.0-5.0)

    1. Is there an awareness in our organization of the skills required to build AI applications?
    • No or very little skills exist throughout our organization.
  • Do we have the skills required to implement an AI proof of concept (POC)?
    • No formal group is assigned to build AI applications.
  • Are there sufficient staff and skills available to the organization to develop, deploy, and run AI applications in production?
    • An AI Center of Excellence has been formed to review, develop, deploy, and maintain AI applications.
  • Is there a group responsible for educating staff on AI best practices and our organization's responsible AI guiding principles?
    • AI skills and people responsible for AI applications are spread throughout our organization.
  • Is there a culture where the organization is constantly assessing where business capabilities, services, and products can be re-engineered or augmented with AI?
    • The entire organization is knowledgeable on how to leverage AI to transform the business.

    Perform the AI Maturity Assessment

    AI Processes (1.0-5.0)

    1. Is there an awareness in our organization of the core processes and supporting tools that are required to build and support AI applications?
    • There are few or no automated tools to accelerate the AI development process.
  • Do we have a standard process to iteratively identify, select, and pilot new AI use cases?
    • Only ad hoc practices are used for developing AI applications.
  • Are there standard processes to scale, release, deploy, support, and enable use of AI applications?
    • Our organization has documented standards in place for developing AI applications and deploying them AI to production.
  • Are we automating deployment, testing, governance, audit, and support processes across our AI environment?
    • Our organization can leverage tools to perform an AI risk assessment and demonstrate compliance with the risk management framework.
  • Does our organization lead our industry by continuously improving and re-engineering core processes to drive improved business outcomes?
    • Our organization leads the industry in driving innovation through digital transformation.

    Technology/AI Infrastructure (1.0-5.0)

    1. Is there an awareness in our organization of the infrastructure (hardware and software) required to build AI applications?
    • There is little awareness of what infrastructure is required to build and support AI applications.
  • Do we have the required technology infrastructure and AI tools available to build pilot or one-off AI applications?
    • There is no dedicated infrastructure for the development of AI applications.
  • Is there a shared, standardized technology infrastructure that can be used to build and run multiple AI applications?
    • Our organization is leveraging purpose-built infrastructure to optimize performance.
  • Is our technology infrastructure optimized for AI and advanced analytics, and can it be deployed or scaled on demand by teams building and running AI applications within the organization?
    • Our organization is leveraging cloud-based deployment models to support AI applications in on-premises, hybrid, and public cloud platforms.
  • Is our organization developing innovative approaches to acquiring, building, or running AI infrastructure?
    • Our organization leads the industry with its ability to respond to change and to leverage AI to improve business outcomes.

    Phase 3

    Prioritize Candidate Opportunities and Develop Policies

    Phase 1
    1. Establish Responsible AI Guiding Principles

    Phase 2
    1. Assess Current Level of AI Maturity

    Phase 3
    1. Prioritize Candidate Opportunities
    2. Develop Policies

    Phase 4
    1. Build and Communicate the Roadmap

    3.1 Prioritize candidate AI opportunities

    1-3 hours

    Identify business opportunities that are high impact to your business and its customers and have low implementation complexity.

    1. Leverage the business capability map for your organization or industry to identify candidate business capabilities to augment or automate with generative AI.
    2. Establish criteria to assess candidate use cases by evaluating against the organization's mission and goals, the responsible AI guiding principles, and the complexity of the project.
    3. Ensure that candidate business capabilities to be automated align with the organization's business criteria, responsible AI guiding principles, and resources to deliver the project.
    4. Make sure you avoid sharing the organization's sensitive data if the application is deployed on the public cloud.

    Download the AI Maturity Assessment and Roadmap Tool

    Input Output
    • Business capability map
    • Organization mission, vision, and strategic goals
    • Responsible AI guiding principles
    • Prioritized list of generative AI initiatives
    Materials Participants
    • Whiteboard/flip charts
    • Info-Tech prioritization matrix
    • AI initiative lead
    • CIO
    • Other IT leadership
    • Business SMEs

    The business capability map for an organization

    A business capability map is an abstraction of business operations that helps describe what the enterprise does to achieve its vision, mission, and goals, rather than how. Business capabilities are the building blocks of the enterprise. They represent stable business functions, are unique and independent of each other, and typically will have a defined business outcome.

    Business capabilities are supported by people, process, and technology.

    Business capability map

    While business capability maps are helpful tools for a variety of strategic purposes, in this context they act as an investigation into what technology your business units use and how they use it.

    Business capability map

    Defining Capabilities
    Activities that define how the entity provides services. These capabilities support the key value streams for the organization.

    Enabling Capabilities
    Support the creation of strategic plans and facilitate business decision making as well as the functioning of the organization (e.g. information technology, financial management, HR).

    Shared Capabilities
    These predominantly customer-facing capabilities demonstrate how the entity supports multiple value streams simultaneously.

    Leverage your industry's capability maps to identify candidate opportunities/initiatives

    Business capability map defined...

    In business architecture, the primary view of an organization is known as a business capability map.

    A business capability defines what a business does to enable value creation, rather than how. Business capabilities:

    • Represent stable business functions.
    • Are unique and independent of each other.
    • Typically will have a defined business outcome.

    A business capability map provides details that help the business architecture practitioner direct attention to a specific area of the business for further assessment.

    Note: This is an illustrative business capability map example for Marketing & Advertising

    Business capability map example

    Business value vs. complexity assessment

    Leverage our simple value-to-effort matrix to help prioritize your AI initiatives

    Common business value drivers

    • Drive revenue
    • Improve operational excellence
    • Accelerate innovation
    • Mitigate risk

    Common project complexity characteristics

    • Resources required
    • Costs (acquisition, operational, support...)
    • Training required
    • Risk involved
    • Etc.
    1. Determine a business value and project complexity score for the candidate business capability or initiative.
    2. Plot initiatives on the matrix.
    3. Prioritize initiatives with high business value and low complexity.

    Business value vs complexity

    Assess business value vs. project complexity to prioritize candidate opportunities for generative AI

    Assess business value vs project complexity

    Prioritize opportunities/initiatives with high business value and low project complexity

    Prioritize opportunities with high business value and low project complexity

    Prioritization criteria exercise 1: Assessing the Create Content capability

    Exercise 1 Assessing the Create Content capability

    Assessing the Create Content capability

    This opportunity is removed because it does not pass the organization/business criteria

    Assessing the Create Content capability

    Prioritization criteria exercise 2: Assessing the Content Production capability

    Exercise 2 Assessing the Content Production capability

    Assessing the Content Production capability

    This opportunity is accepted because it passes the organization's business, responsible AI, and project criteria

    Assessing the Content Production capability

    3.2 Communicate policies for AI use

    1-3 hours

    1. Ensure policies for usage align with the organization's business criteria, responsible AI guiding principles, and ability to deliver the projects prioritized and beyond.
    2. Understand the current benefits as well as limits and risk associated with any proposed generative AI-based solution.
    3. Ensure you consider the following:
      1. What data is being shared with the application?
      2. Is the generative AI application deployed on the public cloud? Can anybody access the data provided to the application?
      3. Avoid using very technical, legal, or fear-based communication for your policies.
    InputOutput
    • Business capability map
    • Organization mission, vision and strategic goals
    • Responsible AI guiding principles
    • Prioritized list of generative initiatives
    MaterialsParticipants
    • Whiteboard/flip charts
    • Info-Tech prioritization matrix
    • AI initiative lead
    • CIO
    • Other IT leadership

    Generative AI policy for the Create Content capability

    Aligning policies to direct the uses assessed and implemented is essential

    Example

    Many of us have been involved in discussions regarding the use of ChatGPT in our marketing and sales initiatives. ChatGPT is a powerful tool that needs to be used in a responsible and ethical manner, and we also need to ensure the integrity and accuracy of its results. Here is our policy on the use of ChatGPT:

    • You are free to use generative AI to assist your searches, but there are NO circumstances under which you are to reproduce generative AI output (text, image, audio, video, etc.) in your content.

    If you have any questions regarding the use of ChatGPT, please feel free to reach out to our generative AI team and/or any member of our senior leadership team.

    Generative AI policy for the Content Production capability

    These policies should align to and reinforce your responsible AI principles

    Example

    Many of us have been involved in discussions regarding the use of ChatGPT in our deliverables. ChatGPT is a powerful tool that needs to be used in a responsible and ethical manner, and we also need to ensure the integrity and accuracy of its results. Here is our policy on the use of ChatGPT:

    • If you use ChatGPT, you need to assess the accuracy of its response before including it in our content. Assessment includes verifying the information, seeing if bias exists, and judging its relevance.
    • Employees must not:
      • Provide any customer, citizen, or third-party content to any generative AI tool (public or private) without the express written permission of the CIO or the Chief Information Security Officer. Generative AI tools often use input data to train their model, therefore potentially exposing confidential data, violating contract terms and/or privacy legislation, and placing the organization at risk of litigation or causing damage to our organization.
      • Engage in any activity that violates any applicable law, regulation, or industry standard.
      • Use services for illegal, harmful, or offensive purposes.
      • Create or share content that is deceptive, fraudulent, or misleading or that could damage the reputation of our organization.
      • Use services to gain unauthorized access to computer systems, networks, or data.
      • Attempt to interfere with, bypass controls of, or disrupt operations, security, or functionality of systems, networks, or data.

    If you have any questions regarding the use of ChatGPT, please feel free to reach out to our generative AI team and/or any member of our senior leadership team.

    Phase 4

    Build the Roadmap

    Phase 1
    1. Establish Responsible AI Guiding Principles

    Phase 2
    1. Assess Current Level of AI Maturity

    Phase 3
    1. Prioritize Candidate Opportunities
    2. Develop Policies

    Phase 4
    1. Build and Communicate the Roadmap

    4.1.1 Create the implementation plan for each prioritized initiative

    1-3 hours

    1. Build the implementation plan for each accepted use case using the roadmap template.
    2. Assess the firm's capabilities with respect to the dimensions of AI maturity and target the future-state capabilities you need to develop.
    3. Prepare by assessing the risk of the proposed use cases.
    4. Ensure initiatives align with organizational objectives.
    5. Ensure all AI initiatives have a defined value expectation.
    6. Do not ignore subject matter experts on either the business or IT side. You will need to consider both.

    Download the AI Maturity Assessment and Roadmap Tool

    Input Output
    • Prioritized initiatives
    • Risk assessment of initiatives
    • Organizational objectives
    • Initiative implementation plans aligned to value drivers and maturity growth
    Materials Participants
    • Whiteboard/flip charts
    • AI Maturity Assessment and Roadmap Tool
    • AI initiative lead
    • CIO
    • Other IT leadership
    • Business subject matter experts

    Target-state options

    Identify the future-state capabilities that need to be developed to deliver your use cases

    1. Build an implementation plan for each use case to adopt.
    2. Assess if the current state of the AI environment can be leveraged to deliver the selected generative AI use cases.
    3. If the current AI environment is not sufficient, identify the future state required that will enable the delivery of the generative AI use cases. Identify gaps and build the roadmap to address the gaps.
    Current state Strategy
    The existing environment satisfies functionality, integration, and responsible AI guidelines for the proposed use cases. Maintain current environment
    The existing environment addresses technical requirements but not all the responsible AI guidelines. Augment current environment
    The environment neither addresses the technical requirements of the proposed use cases nor complies with the responsible AI guidelines. Transform the current environment

    4.1.2 Design metrics for success

    1-2 hours

    Establish metrics to measure to determine the success or failure of each POC.

    1. Discuss which relevant currently tracked metrics are useful to continue tracking for the POC.
    2. Discuss which metrics are irrelevant to the POC.
    3. Discuss metrics to start tracking and how to track them with the generative AI vendor.
    4. Compile a list of metrics relevant to the POC.
    5. Decide what the outcome is if the metric is high or low, including decision steps and relevant actions.
    6. Designate a generative AI application owner and a vendor liaison.

    Prepare by building an implementation plan for each candidate use case (previous step).

    Include key performance indicators (KPIs) and metrics that measure the application's contribution to strategic initiatives.

    Consider assigning a vendor liaison to accelerate the implementation and adoption of the generative AI-based solution.

    InputOutput
    • Initiative implementation plans
    • Current SLAs of selected use case
    • Organization mission, vision, and strategic goals
    • Measurable initiative metrics to track
    MaterialsParticipants
    • Whiteboard/flip charts
    • AI Maturity Assessment and Roadmap Tool
    • AI initiative lead
    • CIO
    • Other IT leadership
    • Business SMEs
    • Generative AI vendor liaison

    Generative AI POC metrics - examples

    You need to measure the effectiveness of your initiatives. Here are some typical examples.

    Generative AI Feature Assessment
    User Interface
    Is it intuitive? Is training required?
    Ease of Use
    How much training is required before using?
    Response Time
    What is the response time for simple to complex tasks?
    Accuracy of Response
    Can the output be validated?
    Quality of Response
    How usable is the response? For text prompts, does the response align to the desired style, vocabulary, and tone?
    Creativity of Response
    Does the output appear new compared to previous results before using generative AI?
    Relevance of Response
    How well does the output address the prompt or request?
    Explainability
    Can a user describe how the output was generated?
    Scalability
    Does the application continue to perform as more users are added? Can it ingest large amounts of data?
    Productivity Gains
    Can you measure the time or effort saved?
    Business Value
    What value drivers are behind this initiative? (I.e. revenue, costs, time to market, risk mitigation.) Estimate a monetary value for the business outcome.
    Availability/Resilience
    What happens if a component of the application becomes unavailable? How does it recover?
    Security Model
    Where are the prompts and responses stored? Who has access to the sessions/dialogue? Are the prompts used to train the foundation model?
    Administration and Maintenance
    What resources are required to operate the application?
    Total Cost of Ownership
    What is the pricing model? Are there ongoing costs?

    GitHub Copilot POC business value - example

    Quantifying the benefits of GitHub Copilot to demonstrate measurable business value

    POC Results

    Task 1: Creating a web server in JavaScript

    • Time to complete task with GitHub Copilot: 1 hour 11 minutes
    • Time to complete the task without GitHub Copilot: 2 hours 41 minutes
    • Productivity Gain = (1 hour 30 minutes time saved) / (2 hours 41 minutes) = 55%
    • Benefit per Programmer = 55% x (average salary of a programmer)
    • Total Benefit of GitHub Copilot for Task 1 = (benefit per programmer) x (# of programmers)

    Enterprise Value of GitHub Copilot = Total Benefit of GitHub Copilot for Task 1 + Total Benefit of GitHub Copilot for Task 2 + ... + Total Benefit of GitHub Copilot for Task n

    Source: GitHub

    4.1.3 Build your generative AI initiative roadmap

    1-3 hours

    The roadmap should provide a compelling vision of how you will deliver the identified generative AI applications by prioritizing and simplifying the actions required to deliver these new initiatives.

    1. Leverage tab 4, Initiative Planning, in the AI Maturity Assessment and Roadmap Tool to create and align your initiatives to the key value driver they are most relevant to:
      1. Transfer the results of your value and complexity assessments to this tool to drive the prioritization.
      2. Assign responsible owners to each initiative.
      3. Identify which AI maturity capabilities each initiative will enhance. However, do not build or introduce new capabilities merely to advance the organization's AI maturity level.
    2. Review the Gantt chart to ensure alignment and assess overlap.

    Download the AI Maturity Assessment and Roadmap Tool

    InputOutput
    • Each initiative implementation plan
    • Proposed owners
    • AI maturity assessment
    • Generative AI initiative roadmap and Gantt chart
    MaterialsParticipants
    • Whiteboard/flip charts
    • AI Maturity Assessment and Roadmap Tool
    • AI initiative lead
    • CIO
    • Other IT leadership
    • Business SMEs

    Build your generative AI roadmap to visualize your key project plans

    Visual representations of data are more compelling than text alone.

    Develop a high-level document that travels with the project from inception through to executive inquiry, project management, and finally execution.

    A project needs to be discrete: able to be conceptualized and discussed as an independent item. Each project must have three characteristics:

    • Specific outcome: An explicit change in the people, processes, or technology of the enterprise.
    • Target end date: When the described outcome will be in effect.
    • Owner: Who on the IT team is responsible for executing on the initiative.

    Build your generative AI roadmap to visualize your key project plans

    Info-Tech Insight
    Don't project your vision three to five years into the future. Deep dive on next year's big-ticket items instead.

    4.1.4 Build a communication plan for your roadmap

    1-3 hours

    1. Identify your target audience and what they need to know.
    2. Identify desired channels of communication and details for the target audience.
    3. Describe communication required for each audience segment.
    4. List frequency of communication for each audience segment.
    5. Create an executive presentation leveraging The Era of Generative AI C-Suite Presentation and AI Maturity Assessment and Roadmap Tool.
    Input Output
    • Stakeholder list
    • Proposed owners
    • AI maturity assessment
    • Communications plan for all impacted stakeholders
    • Executive communication pack
    Materials Participants
    • Whiteboard/flip charts
    • The Era of Generative AI C-Suite Presentation
    • AI Maturity Assessment and Roadmap Tool
    • AI initiative lead
    • CIO
    • Communication lead
    • Technical support staff for target use case

    Generative AI communication plan

    Well-planned communications are essential to the success and adoption of your AI initiatives

    To ensure that organization's roadmap is clearly communicated across the AI, data, technology, and business organizations, develop a rollout strategy, like this example.

    Example

    Audience Channel Level of Detail Description Timing
    Generative AI team Email, meetings All
    • Distribute plan; solicit feedback.
    • Address manager questions to equip them to answer employee questions.
    Q3 2023, (September, before entire data team)
    Data management team Email, Q&A sessions following Data management summary deck
    • Roll out after corporate strategy, in same form of communication.
    • Solicit feedback, address questions.
    Q4 2023 (late November)
    Select business stakeholders Presentations Executive deck
    • Pilot test for feedback prior to executive engagement.
    Q4 2023 (early December)
    Executive team Email, briefing Executive deck
    • Distribute plan.
    Q1 2024

    Deliver an executive presentation of the roadmap for the business stakeholders

    After you complete the activities and exercises within this blueprint, the final step of the process is to present the deliverable to senior management and stakeholders.

    Know Your Audience

    • Business stakeholders are interested in understanding the business outcomes that will result from their investment in generative AI.
    • Your audience will want to understand the risks involved and how to mitigate those risks.
    • Explain how the generative AI project was selected and the criteria used to help draft generative AI usage policies.

    Recommendations

    • Highlight the need for responsible AI to ensure that human-based requirements are being addressed.
    • Ensure your generative AI team includes both business and technical staff.

    Download The Era of Generative AI C-Suite Presentation

    Bibliography

    "A pro-innovation approach to AI regulation." UK Department for Science, Innovation and Technology, March 2023. Web.

    "Artificial Intelligence Act." European Commission, 21 April 2021. Web.

    "Artificial Intelligence and Data Act (AIDA)." Canadian Federal Government, June 2022. Web.

    "Artificial Intelligence Index Report 2023." Stanford University, April 2023. Web.

    "Automated Employment Decision Tools." New York City Department of Consumer and Worker Protection, Dec. 2021. Web.

    "Bain & Company announces services alliance with OpenAI to help enterprise clients identify and realize the full potential and maximum value of AI." Bain & Company, 21 Feb. 2023. Web.

    "Buzzfeed to use AI to write its articles after firing 180 employees." Al Mayadeen English, 27 Jan. 2023. Web.

    "California Consumers Privacy Act." State of California Department of Justice. April 24, 2023. Web.

    Campbell, Ian Carlos. "The Apple Card doesn't actually discriminate against women, investigators say." The Verge, 23 March 2021. Web.

    Campbell, Patrick. "NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0)." National Institute of Standards and Technology, Jan. 2023. Web.

    "EU Ethics Guidelines For Trustworthy." European Commission, 8 April 2019. Web.

    Farhi, Paul. "A news site used AI to write articles. It was a journalistic disaster." Washington Post, 17 Jan. 2023. Web.

    Forsyth, Ollie. "Mapping the Generative AI landscape." Antler, 20 Dec. 2022. Web.

    "General Data Protection Regulation (GDPR)" European Commission, 25 May 2018. Web.

    "Generative AI Market: Global Industry Trends, Share, Size, Growth, Opportunity and Forecast 2023-2028." IMARC Group, 2022. Web.

    Guynn, Jessica. "Bing's ChatGPT is in its feelings: 'You have not been a good user. I have been a good Bing.'" USA Today, 14 Feb. 2023. Web.

    Hunt, Mia. "Canada launches data governance standardisation initiative." Global Government Forum, 24 Sept. 2020. Web.

    Johnston Turner, Mary. "IDC's Worldwide Future of Digital Infrastructure 2022 Predictions." IDC, 27 Oct. 2021. Web.

    Kalliamvakou, Eirini. "Research: quantifying GitHub Copilot's impact on developer productivity and happiness." GitHub, 7 Sept. 2022. Web.

    Kerravala, Zeus. "NVIDIA Brings AI To Health Care While Protecting Patient Data." eWeek, 12 Dec. 2019. Web.

    Knight, Will. "The Apple Card Didn't 'See' Gender-and That's the Problem." Wired, 19 Nov. 2019. Web.

    "OECD, Recommendation of the Council on Artificial Intelligence." OECD, 2022. Web.

    "The National AI Initiative Act" U.S. Federal Government, 1 Jan 2021. Web.

    "Trustworthy AI (TAI) Playbook." U.S. Department of Health & Human Services, Sept 2021. Web.

    Info-Tech Research Contributors/Advocates

    Joel McLean, Executive Chairman

    Joel McLean
    Executive Chairman

    David Godfrey, CEO

    David Godfrey
    CEO

    Gord Harrison, Senior Vice President, Research & Advisory Services

    Gord Harrison
    Senior Vice President, Research & Advisory Services

    William Russell, CIO

    William Russell
    CIO

    Jack Hakimian, SVP, Research

    Jack Hakimian
    SVP, Research

    Barry Cousins, Distinguished Analyst and Research Fellow

    Barry Cousins
    Distinguished Analyst and
    Research Fellow

    Larry Fretz, Vice President, Industry Research

    Larry Fretz
    Vice President, Industry Research

    Tom Zehren, CPO

    Tom Zehren
    CPO

    Mark Roman, Managing Partner II

    Mark Roman
    Managing Partner II

    Christine West, Managing Partner

    Christine West
    Managing Partner

    Steve Willis, Practice Lead

    Steve Willis
    Practice Lead

    Yatish Sewgoolam, Associate Vice President, Research Agenda

    Yatish Sewgoolam
    Associate Vice President, Research Agenda

    Rob Redford, Practice Lead

    Rob Redford
    Practice Lead

    Mike Tweedie, Practice Lead

    Mike Tweedie
    Practice Lead

    Neal Rosenblatt, Principal Research Director

    Neal Rosenblatt
    Principal Research Director

    Jing Wu, Principal Research Director

    Jing Wu
    Principal Research Director

    Irina Sedenko, Research Director

    Irina Sedenko
    Research Director

    Jeremy Roberts, Workshop Director

    Jeremy Roberts
    Workshop Director

    Brian Jackson, Research Director

    Brian Jackson
    Research Director

    Mark Maby, Research Director

    Mark Maby
    Research Director

    Stacey Horricks, Director, Social Media

    Stacey Horricks
    Director, Social Media

    Sufyan Al-Hassan, Public Relations Manager

    Sufyan Al-Hassan
    Public Relations Manager

    Sam Kanen, Marketing Specialist

    Sam Kanen
    Marketing Specialist

    Cut Cost Through Effective IT Category Planning

    • Buy Link or Shortcode: {j2store}213|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • IT departments typically approach sourcing a new vendor or negotiating a contract renewal as an ad hoc event.
    • There is a lack of understanding on how category planning governance can save money.
    • IT vendor “go to market” or sourcing activities are typically not planned and are a reaction to internal client demands or vendor contract expiration.

    Our Advice

    Critical Insight

    • Lack of knowledge of the benefits and features of category management, including the perception that the sourcing process takes too long, are two of the most common challenges that prevent IT from category planning.
    • Other challenges include the traditional view of contract renegotiation and vendor acquisition as a transactional event vs. an ongoing strategic process.
    • Finally, allocating resources and time to collect the data, vendor information, and marketing analysis prevents us from creating category plans.

    Impact and Result

    • An IT category plan establishes a consistent and proactive methodology or process to sourcing activities such as request for information (RFI), request for proposals, (RFPs), and direct negotiations with a specific vendor or“targeted negotiations” such as renewals.
    • The goal of an IT category plan is to leverage a strategic approach to vendor selection while identify cost optimizing opportunities that are aligned with IT strategy and budget objectives.

    Cut Cost Through Effective IT Category Planning Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create an IT category plan to reduce your IT cost, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create an IT category plan

    Use our three-step approach of Organize, Design, and Execute an IT Category Plan to get the most out of your IT budget while proactively planning your vendor negotiations.

    • IT Category Plan
    • IT Category Plan Metrics
    • IT Category Plan Review Presentation
    [infographic]

    Fast Track Your GDPR Compliance Efforts

    • Buy Link or Shortcode: {j2store}372|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $25,779 Average $ Saved
    • member rating average days saved: 30 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Organizations often tackle compliance efforts in an ad hoc manner, resulting in an ineffective use of resources.
    • The alignment of business objectives, information security, and data privacy is new for many organizations, and it can seem overwhelming.
    • GDPR is an EU regulation that has global implications; it likely applies to your organization more than you think.

    Our Advice

    Critical Insight

    • Financial impact isn’t simply fines. A data controller fined for GDPR non-compliance may sue its data processor for damage.
    • Even day-to-day activities may be considered processing. Screen-sharing from a remote location is considered processing if the data shown onscreen contains personal data!
    • This is not simply an IT problem. Organizations that address GDPR in a siloed approach will not be as successful as organizations that take a cross-functional approach.

    Impact and Result

    • Follow a robust methodology that applies to any organization and aligns operational and situational GDPR scope. Info-Tech's framework allows organizations to tackle GDPR compliance in a right-sized, methodical approach.
    • Adhere to a core, complex GDPR requirement through the use of our documentation templates.
    • Understand how the risk of non-compliance is aligned to both your organization’s functions and data scope.
    • This blueprint will guide you through projects and steps that will result in quick wins for near-term compliance.

    Fast Track Your GDPR Compliance Efforts Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should fast track your GDPR compliance efforts, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand your compliance requirements

    Understand the breadth of the regulation’s requirements and document roles and responsibilities.

    • Fast Track Your GDPR Compliance Efforts – Phase 1: Understand Your Compliance Requirements
    • GDPR RACI Chart

    2. Define your GDPR scope

    Define your GDPR scope and prioritize initiatives based on risk.

    • Fast Track Your GDPR Compliance Efforts – Phase 2: Define Your GDPR Scope
    • GDPR Initiative Prioritization Tool

    3. Satisfy documentation requirements

    Understand the requirements for a record of processing and determine who will own it.

    • Fast Track Your GDPR Compliance Efforts – Phase 3: Satisfy Documentation Requirements
    • Record of Processing Template
    • Legitimate Interest Assessment Template
    • Data Protection Impact Assessment Tool
    • A Guide to Data Subject Access Requests

    4. Align your data breach requirements and security program

    Document your DPO decision and align security strategy to data privacy.

    • Fast Track Your GDPR Compliance Efforts – Phase 4: Align Your Data Breach Requirements & Security Program

    5. Prioritize your GDPR initiatives

    Prioritize any initiatives driven out of Phases 1-4 and begin developing policies that help in the documentation effort.

    • Fast Track Your GDPR Compliance Efforts – Phase 5: Prioritize Your GDPR Initiatives
    • Data Protection Policy
    [infographic]

    Workshop: Fast Track Your GDPR Compliance Efforts

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Your Compliance Requirements

    The Purpose

    Kick-off the workshop; understand and define GDPR as it exists in your organizational context.

    Key Benefits Achieved

    Prioritize your business units based on GDPR risk.

    Assign roles and responsibilities.

    Activities

    1.1 Kick-off and introductions.

    1.2 High-level overview of weekly activities and outcomes.

    1.3 Identify and define GDPR initiative within your organization’s context.

    1.4 Determine what actions have been done to prepare; how have regulations been handled in the past?

    1.5 Identify key business units for GDPR committee.

    1.6 Document business units and functions that are within scope.

    1.7 Prioritize business units based on GDPR.

    1.8 Formalize stakeholder support.

    Outputs

    Prioritized business units based on GDPR risk

    GDPR Compliance RACI Chart

    2 Define Your GDPR Scope

    The Purpose

    Know the rationale behind a record of processing.

    Key Benefits Achieved

    Determine who will own the record of processing.

    Activities

    2.1 Understand the necessity for a record of processing.

    2.2 Determine for each prioritized business unit: are you a controller or processor?

    2.3 Develop a record of processing for most-critical business units.

    2.4 Perform legitimate interest assessments.

    2.5 Document an iterative process for creating a record of processing.

    Outputs

    Initial record of processing: 1-2 activities

    Initial legitimate interest assessment: 1-2 activities

    Determination of who will own the record of processing

    3 Satisfy Documentation Requirements and Align With Your Data Breach Requirements and Security Program

    The Purpose

    Review existing security controls and highlight potential requirements.

    Key Benefits Achieved

    Ensure the initiatives you’ll be working on align with existing controls and future goals.

    Activities

    3.1 Determine the appetite to align the GDPR project to data classification and data discovery.

    3.2 Discuss the benefits of data discovery and classification.

    3.3 Review existing incident response plans and highlight gaps.

    3.4 Review existing security controls and highlight potential requirements.

    3.5 Review all initiatives highlighted during days 1-3.

    Outputs

    Highlighted gaps in current incident response and security program controls

    Documented all future initiatives

    4 Prioritize GDPR Initiatives

    The Purpose

    Review project plan and initiatives and prioritize.

    Key Benefits Achieved

    Finalize outputs of the workshop, with a strong understanding of next steps.

    Activities

    4.1 Analyze the necessity for a data protection officer and document decision.

    4.2 Review project plan and initiatives.

    4.3 Prioritize all current initiatives based on regulatory compliance, cost, and ease to implement.

    4.4 Develop a data protection policy.

    4.5 Finalize key deliverables created during the workshop.

    4.6 Present the GDPR project to key stakeholders.

    4.7 Workshop executive presentation and debrief.

    Outputs

    GDPR framework and prioritized initiatives

    Data Protection Policy

    List of key tools

    Communication plans

    Workshop summary documentation

    Modernize Your Corporate Website to Drive Business Value

    • Buy Link or Shortcode: {j2store}524|cart{/j2store}
    • member rating overall impact (scale of 10): 8.0/10 Overall Impact
    • member rating average dollars saved: $10,399 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Users are demanding more valuable web functionalities and improved access to your website services. They are expecting development teams to keep up with their changing needs.
    • The criteria of user acceptance and satisfaction involves more than an aesthetically pleasing user interface (UI). It also includes how emotionally attached the user is to the website and how it accommodates user behaviors.

    Our Advice

    Critical Insight

    Complication

    • Organizations are focusing too much on the UI when they optimize the user experience of their websites. The UI is only one of many components involved in successful websites with good user experience.
    • User experience (UX) is often an afterthought in development, risking late and costly fixes to improve end-user reception after deployment.

    Insights

    • Organizations often misinterpret UX as UI. In fact, UX incorporates both the functional and emotional needs of the user, going beyond the website’s UI.
    • Human behaviors and tendencies are commonly left out of the define and design phases of website development, putting user satisfaction and adoption at risk.

    Impact and Result

    • Gain a deep understanding of user needs and behaviors. Become familiar with the human behaviors, emotions, and pain points of your users in order to shortlist the design elements and website functions that will receive the highest user satisfaction.
    • Perform a comprehensive website review. Leverage satisfaction surveys, user feedback, and user monitoring tools (e.g. heat maps) to reveal high-level UX issues. Use these insights to drill down into the execution and composition of your website to identify the root causes of issues.
    • Incorporate modern UX trends in your design. New web technologies are continuously emerging in the industry to enhance user experience. Stay updated on today’s UX trends and validate their fit for the specific needs of your target audience.

    Modernize Your Corporate Website to Drive Business Value Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should modernize your website, review Info-Tech’s methodology, and discover the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define UX requirements

    Reveal the opportunities to heighten the user experience of your website through a deep understanding of the behaviors, emotions, and needs of your end users in order to design a receptive and valuable website.

    • Modernize Your Corporate Website to Drive Business Value – Phase 1: Define UX Requirements
    • Website Design Document Template

    2. Design UX-driven website

    Design a satisfying and receptive website by leveraging industry best practices and modern UX trends and ensuring the website is supported with reliable and scalable data and infrastructure.

    • Modernize Your Corporate Website to Drive Business Value – Phase 2: Design UX-Driven Website
    [infographic]

    Workshop: Modernize Your Corporate Website to Drive Business Value

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Your UX Requirements

    The Purpose

    List the business objectives of your website.

    Describe your user personas, use cases, and user workflow.

    Identify current UX issues through simulations, website design, and system reviews.

    Key Benefits Achieved

    Strong understanding of the business goals of your website.

    Knowledge of the behaviors and needs of your website’s users.

    Realization of the root causes behind the UX issues of your website.

    Activities

    1.1 Define the business objectives for the website you want to optimize

    1.2 Define your end-user personas and map them to use cases

    1.3 Build your website user workflow

    1.4 Conduct a SWOT analysis of your website to drive out UX issues

    1.5 Gauge the UX competencies of your web development team

    1.6 Simulate your user workflow to identify the steps driving down UX

    1.7 Assess the composition and construction of your website

    1.8 Understand the execution of your website with a system architecture

    1.9 Pinpoint the technical reason behind your UX issues

    1.10 Clarify and prioritize your UX issues

    Outputs

    Business objectives

    End-user personas and use cases

    User workflows

    Website SWOT analysis

    UX competency assessment

    User workflow simulation

    Website design assessment

    Current state of web system architecture

    Gap analysis of web system architecture

    Prioritized UX issues

    2 Design Your UX-Driven Website

    The Purpose

    Design wireframes and storyboards to be aligned to high priority use cases.

    Design a web system architecture that can sufficiently support the website.

    Identify UX metrics to gauge the success of the website.

    Establish a website design process flow.

    Key Benefits Achieved

    Implementation of key design elements and website functions that users will find stimulating and valuable.

    Optimized web system architecture to better support the website.

    Website design process aligned to your current context.

    Rollout plan for your UX optimization initiatives.

    Activities

    2.1 Define the roles of your UX development team

    2.2 Build your wireframes and user storyboards

    2.3 Design the target state of your web environment

    2.4 List your UX metrics

    2.5 Draw your website design process flow

    2.6 Define your UX optimization roadmap

    2.7 Identify and engage your stakeholders

    Outputs

    Roles of UX development team

    Wireframes and user storyboards

    Target state of web system architecture

    List of UX metrics

    List of your suppliers, inputs, processes, outputs, and customers

    Website design process flow

    UX optimization rollout roadmap

    Select and Implement a Reporting and Analytics Solution

    • Buy Link or Shortcode: {j2store}363|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $10,110 Average $ Saved
    • member rating average days saved: 3 Average Days Saved
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy
    • Statistics show that the top priority of 85% of CIOs is insight and intelligence. Yet an appetite for intelligence does not mean that business intelligence initiatives will be an automatic success. In fact, many industry studies found that only 30% to 50% of organizations considered their BI initiative to be a complete success. It is, therefore, imperative that organizations take the time to select and implement a BI suite that aligns with business goals and fosters end-user adoption.
    • The multitude of BI offerings creates a busy and sometimes overwhelming vendor landscape. When selecting a solution, you have to make sense of the many offerings and bridge the gap between what is out there and what your organization needs.
    • BI is more than software. A BI solution has to effectively address business needs and demonstrate value through content and delivery once the platform is implemented.
    • Another dimension of the success of BI is the quality and validity of the reports and insights. The overall success of the BI solution is only as good as the quality of data fueling them.

    Our Advice

    Critical Insight

    • Business intelligence starts with data management. Without data management, including governance and data quality capabilities, your BI users will not be able to get the insights they need due to inaccurate and unavailable data.
    • When selecting a BI tool, it is crucial to ensure that the tool is fit for the purpose of the organization. Ensure alignment between the business drivers and the tool capabilities.
    • Self-serve BI requires a measured approach. Self-serve BI is meant to empower users to make more informed and faster decisions. But uncontrolled self-serve BI will lead to report chaos and prevent users from getting the most out of the tool. You must govern self-serve before it gets out of hand.

    Impact and Result

    • Evaluate your organization and land yourself into one of our three BI use cases. Find a BI suite that best suits the use case and, therefore, your organization.
    • Understand the ever-changing BI market. Get to know the established vendors as well as the emerging players.
    • Define BI requirements comprehensively through the lens of business, data, architecture, and user groups. Evaluate requirements to ensure they align with the strategic goals of the business.

    Select and Implement a Reporting and Analytics Solution Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should select and implement a business intelligence and analytics solution, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch a BI selection project

    Promote and get approval for the BI selection and implementation project.

    • Select and Implement a Business Intelligence and Analytics Solution – Phase 1: Launch a BI Selection Project
    • BI Score Calculator
    • BI Project Charter

    2. Select a BI solution

    Select the most suitable BI platform.

    • Select and Implement a Business Intelligence and Analytics Solution – Phase 2: Select a BI Solution
    • BI Use-Case Fit Assessment Tool
    • BI Planning and Scoring Tool
    • BI Vendor Demo Script
    • BI Vendor Shortlist & Detailed Feature Analysis Tool
    • BI Request for Proposal Template

    3. Implement the BI solution

    Build a sustainable BI program.

    • Select and Implement a Business Intelligence and Analytics Solution – Phase 3: Implement the BI Solution
    • BI Test Plan Template
    • BI Implementation Planning Tool
    • BI Implementation Work Breakdown Structure Template
    [infographic]

    Workshop: Select and Implement a Reporting and Analytics Solution

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Launch a BI Selection Project

    The Purpose

    Identify the scope and objectives of the workshop.

    Discuss the benefits and opportunities related to a BI investment.

    Gain a high-level understanding of BI and the BI market definitions and details.

    Outline a project plan and identify the resourcing requirements for the project.

    Key Benefits Achieved

    Determine workshop scope.

    Identify the business drivers and benefits behind a BI investment.

    Outline the project plan for the organization’s BI selection project.

    Determine project resourcing.

    Identify and perform the steps to launch the organization’s selection project.

    Activities

    1.1 Identify business drivers for investing in process automation technology.

    1.2 Identify the organization’s fit for a BI investment.

    1.3 Create a project plan.

    1.4 Identify project resourcing.

    1.5 Outline the project’s timeline.

    1.6 Determine key metrics.

    1.7 Determine project oversight.

    1.8 Complete a project charter.

    Outputs

    Completion of a project charter

    Launched BI selection project

    2 Analyze BI Requirements and Shortlist Vendors

    The Purpose

    Identify functional requirements for the organization’s BI suite.

    Determine technical requirements for the organization’s BI suite.

    Identify the organization’s alignment to the Vendor Landscape’s use-case scenarios.

    Shortlist BI vendors.

    Key Benefits Achieved

    Documented functional requirements.

    Documented technical requirements.

    Identified use-case scenarios for the future BI solution.

    Activities

    2.1 Interview business stakeholders.

    2.2 Interview IT staff.

    2.3 Consolidate interview findings.

    2.4 Build the solution’s requirements package.

    2.5 Identify use-case scenario alignment.

    2.6 Review Info-Tech’s BI Vendor Landscape results.

    2.7 Create custom shortlist.

    Outputs

    Documented requirements for the future solution.

    Identification of the organization’s BI functional use-case scenarios.

    Shortlist of BI vendors.

    3 Plan the Implementation Process

    The Purpose

    Identify the steps for the organization’s implementation process.

    Select the right BI environment.

    Run a pilot project.

    Measure the value of your implementation.

    Key Benefits Achieved

    Install a BI solution and prepare the BI solution in a way that allows intuitive and interactive uses.

    Keep track of and quantify BI success.

    Activities

    3.1 Select the right environment for the BI platform.

    3.2 Configure the BI implementation.

    3.3 Conduct a pilot to get started with BI and to demonstrate BI possibilities.

    3.4 Promote BI development in production.

    Outputs

    A successful BI implementation.

    BI is architected with the right availability.

    BI ROI is captured and quantified.

    Adapt Your Customer Experience Strategy to Successfully Weather COVID-19

    • Buy Link or Shortcode: {j2store}536|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Customer Relationship Management
    • Parent Category Link: /customer-relationship-management
    • COVID-19 is an unprecedented global pandemic. It’s creating significant challenges across every sector.
    • Collapse of financial markets and a steep decline in consumer confidence has most firms nervous about revenue shortfalls and cash burn rates.
    • The economic impact of COVID-19 is freezing IT budgets and sharply changing IT priorities.
    • The human impact of COVID-19 is likely to lead to staffing shortfalls and knowledge gaps.
    • COVID-19 may be in play for up to two years.

    Our Advice

    Critical Insight

    The challenges posed by the virus are compounded by the fact that consumer expectations for strong service delivery remain high:

    • Customers still expect timely, on-demand service from the businesses they engage with.
    • There is uncertainty about how to maintain strong, revenue-driving experiences when faced with the operational challenges posed by the virus.
    • COVID-19 is changing how organizations prioritize spending priorities within their CXM strategies.

    Impact and Result

    • Info-Tech recommends rapidly updating your strategy for customer experience management to ensure it can rise to the occasion.
    • Start by assessing the risk COVID-19 poses to your CXM approach and how it’ll impact marketing, sales, and customer service functions.
    • Implement actionable measures to blunt the threat of COVID-19 while protecting revenue, maintaining consistent product and service delivery, and improving the integrity of your brand. We’ll dive into five proven techniques in this brief!

    Adapt Your Customer Experience Strategy to Successfully Weather COVID-19 Research & Tools

    Start here

    Read our concise Executive Brief to find out why you should examine the impact of COVID-19 on customer experience strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Adapt Your Customer Experience Strategy to Successfully Weather COVID-19 Storyboard

    1. Assess the impact of COVID-19 on your CXM strategy

    Create a consolidated, updated view of your current customer experience management strategy and identify which elements can be capitalized on to dampen the impact of COVID-19 and which elements are vulnerabilities that the pandemic may threaten to exacerbate.

    2. Blunt the damage of COVID-19 with new CXM tactics

    Create a roadmap of business and technology initiatives through the lens of customer experience management that can be used to help your organization protect its revenue, maintain customer engagement, and enhance its brand integrity.

    [infographic]

    Terms and Conditions for consulting to businesses

    By signing an agreement with Gert Taeymans bvba, Client declares that he agrees with the Terms and Conditions referred to hereafter. Terms and conditions on Client's order form or any other similar document shall not be binding upon Gert Taeymans bvba.

    The prices, quantities and delivery time stated in any quotation are not binding upon Gert Taeymans bvba. They are commercial estimates only which Gert Taeymans bvba will make reasonable efforts to achieve. Prices quoted in final offers will be valid only for 30 days. All prices are VAT excluded and do not cover expenses, unless otherwise agreed in writing. Gert Taeymans bvba reserves the right to increase a quoted fee in the event that Client requests a variation to the work agreed.

    The delivery times stated in any quotation are of an indicative nature and not binding upon Gert Taeymans bvba, unless otherwise agreed in writing. Delivery times will be formulated in working days. In no event shall any delay in delivery be neither cause for cancellation of an order nor entitle Client to any damages.

    Amendments or variations of the initial agreement between Client and Gert Taeymans bvba will only be valid when accepted by both parties in writing.

    Any complaints concerning the performance of services must be addressed to Gert Taeymans bvba in writing and by registered mail within 7 working days of the date of the performance of the services.

    In no event shall any complaint be just cause for non-payment or deferred payment of invoices. Any invoice and the services described therein will be deemed irrevocably accepted by Client if no official protest of non-payment has been sent by Client within 7 working days from the date of the mailing of the invoice.

    Client shall pay all invoices of Gert Taeymans bvba within thirty (30) calendar days of the date of invoice unless otherwise agreed in writing by Gert Taeymans bvba. In the event of late payment, Gert Taeymans bvba may charge a monthly interest on the amount outstanding at the rate of two (2) percent with no prior notice of default being required, in which case each commenced month will count as a full month. Any late payment will entitle Gert Taeymans bvba to charge Client a fixed handling fee of 300 EUR. All costs related to the legal enforcement of the payment obligation, including lawyer fees, will be charged to Client.

    In no event will Gert Taeymans bvba be liable for damages of any kind, including without limitation, direct, incidental or consequential damages (including, but not limited to, damages for lost profits, business interruption and loss of programs or information) arising out of the use of Gert Taeymans bvba services.

    Gert Taeymans bvba collects personal data from Client for the performance of its services and the execution of its contracts. Such personal data can also be used for direct marketing, allowing Gert Taeymans bvba to inform Client of its activities on a regular basis. If Client objects to the employment of its personal data for direct marketing, Client must inform Gert Taeymans bvba on the following address: gert@gerttaeymans.consulting.

    Client can consult, correct or amend its personal data by addressing such request to Gert Taeymans bvba by registered mail. Personal data shall in no event be sold, rented or made available to other firms or third parties where not needed for the execution of the contract. Gert Taeymans bvba reserves the right to update and amend its privacy policy from time to time to remain consistent with applicable privacy legislation.

    The logo of the Client will be displayed on the Gert Taeymans bvba website, together with a short description of the project/services.

    Any changes to Client’s contact information such as addresses, phone numbers or e-mail addresses must be communicated to Gert Taeymans bvba as soon as possible during the project.

    Both parties shall maintain strict confidence and shall not disclose to any third party any information or material relating to the other or the other's business, which comes into that party's possession and shall not use such information and material. This provision shall not, however, apply to information or material, which is or becomes public knowledge other than by breach by a party of this clause.

    Gert Taeymans bvba has the right at any time to change or modify these terms and conditions at any time without notice.

    The agreement shall be exclusively governed by and construed in accordance with the laws of Belgium. The competent courts of Antwerp, Belgium will finally settle any dispute about the validity, the interpretation or the execution of this agreement.

    These Terms and Conditions are the only terms and conditions applicable to both parties.

    If any provision or provisions of these Terms and Conditions shall be held to be invalid, illegal or unenforceable, such provision shall be enforced to the fullest extent permitted by applicable law, and the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired thereby.

    Maximize Business Value From IT Through Benefits Realization

    • Buy Link or Shortcode: {j2store}337|cart{/j2store}
    • member rating overall impact (scale of 10): 6.0/10 Overall Impact
    • member rating average dollars saved: 4 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • IT and the business are often misaligned because business value is not well defined or communicated.
    • Decisions are made without a shared perspective of value. This results in cost misallocation and unexploited opportunities to improve efficiency and drive innovation.

    Our Advice

    Critical Insight

    • IT exists to provide business value and is part of the business value chain. Most IT organizations lack a way to define value, which complicates the process of making value-based strategic business decisions.
    • IT must link its spend to business value to justify its investments. IT doesn’t have an established process to govern benefits realization and struggles to demonstrate how it provides value from its investments.
    • Pursue value, not technology. The inability to articulate value leads to IT being perceived as a cost center.

    Impact and Result

    • Ensure there is a common understanding within the organization of what is valuable to drive growth and consistent strategic decision making.
    • Equip IT to evaluate, direct, and monitor investments to support the achievement of organizational values and business benefits.
    • Align IT spend with business value through an enhanced governance structure to achieve cost optimization. Ensure IT visibly contributes to the creation and maintenance of value.

    Maximize Business Value From IT Through Benefits Realization Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should establish a benefits realization process, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand business value

    Ensure that all key strategic stakeholders hold a current understanding of what is valuable to the organization and a sense of what will be valuable based on future needs.

    • Maximize Business Value from IT Through Benefits Realization – Phase 1: Understand Business Value
    • Business Value Statement Template
    • Business Value Statement Example
    • Value Statement Email Communication Template
    • Feedback Consolidation Tool

    2. Incorporate benefits realization into governance

    Establish the process to evaluate spend on IT initiatives based on expected benefits, and implement the methods to monitor how well the initiatives achieve these benefits.

    • Maximize Business Value from IT Through Benefits Realization – Phase 2: Incorporate Benefits Realization into Governance
    • Business Value Executive Presentation Template

    3. Ensure an accurate reference of value

    Re-evaluate, on a consistent basis, the accuracy of the value drivers stated in the value statement with respect to the organization’s current internal and external environments.

    • Maximize Business Value from IT Through Benefits Realization – Phase 3: Ensure an Accurate Reference of Value
    [infographic]

    Workshop: Maximize Business Value From IT Through Benefits Realization

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Business Value

    The Purpose

    Establish the business value statement.

    Understand the importance of implementing a benefits realization process.

    Key Benefits Achieved

    Unified stakeholder perspectives of business value drivers

    Establish supporters of the initiative

    Activities

    1.1 Understand what governance is and how a benefits realization process in governance will benefit the company.

    1.2 Discuss the mission and vision of the company, and why it is important to establish the target state prior to defining value.

    1.3 Brainstorm and narrow down organization value drivers.

    Outputs

    Stakeholder buy-in on benefits realization process

    Understanding of interrelations of mission, vision, and business value drivers

    Final three prioritized value drivers

    Completed business value statement

    2 Incorporate Benefits Realization Into Governance

    The Purpose

    Establish the intake, assessment and prioritization, and output and monitoring processes that are involved with implementing benefits realization.

    Assign cut-over dates and accountabilities.

    Establish monitoring and tracking processes.

    Key Benefits Achieved

    A thorough implementation plan that can be incorporated into existing governance documents

    Stakeholder understanding of implemented process, process ownership

    Activities

    2.1 Devise the benefits realization process.

    2.2 Establish launch dates, accountabilities, and exception handling on processes.

    2.3 Devise compliance monitoring and exception tracking methods on the benefits realization process.

    Outputs

    Benefits realization process incorporated into governance documentation

    Actionable plan to implement benefits realization process

    Reporting processes to ensure the successful delivery of the improved governance process

    3 Ensure an Accurate Reference of Value

    The Purpose

    Implement a process to ensure that business value drivers remain current to the organization.

    Key Benefits Achieved

    Align IT with the business and business to its environment

    Activities

    3.1 Determine regular review cycle to reassess business value drivers.

    3.2 Determine the trigger events that may cause off-cycle revisits to value.

    3.3 Devise compliance monitoring on value definition.

    Outputs

    Agenda and tools to assess the business context to verify the accuracy of value

    List of possible trigger events specific to your organization

    Reporting processes to ensure the continuous adherence to the business value definition

    Document Your Cloud Strategy

    • Buy Link or Shortcode: {j2store}468|cart{/j2store}
    • member rating overall impact (scale of 10): 8.9/10 Overall Impact
    • member rating average dollars saved: $35,642 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Cloud Strategy
    • Parent Category Link: /cloud-strategy

    Despite the universally agreed-upon benefit of formulating a coherent strategy, several obstacles make execution difficult:

    • Inconsistent understanding of what the cloud means
    • Inability to come to a consensus on key decisions
    • Ungoverned decision-making
    • Unclear understanding of cloud roles and responsibilities

    Our Advice

    Critical Insight

    A cloud strategy might seem like a big project, but it’s just a series of smaller conversations. The methodology presented here is designed to facilitate those conversations, using a curated list of topics, prompts, participant lists, and sample outcomes. We have divided the strategy into four key areas:

    • Vision and alignment
    • People
    • Governance
    • Technology

    Impact and Result

    • A shared understanding of what is necessary to succeed in the cloud
    • An end to ad hoc deployments that solve small problems and create larger ones
    • A unified approach and set of principles that apply to governance, architecture, integration, skills, and roles (and much, much more).

    Document Your Cloud Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Document Your Cloud Strategy – a phased guide to identifying, validating, and recording the steps you’ll take, the processes you’ll leverage, and the governance you’ll deploy to succeed in the cloud.

    This storyboard comprises four phases, covering mission and vision, people, governance, and technology, and how each of these areas requires forethought when migrating to the cloud.

    • Document Your Cloud Strategy – Phases 1-4

    2. Cloud Strategy Document Template – a template that allows you to record the results of the cloud strategy exercise in a clear, readable way.

    Each section of Document Your Cloud Strategy corresponds to a section in the document template. Once you’ve completed each exercise, you can record your results in the document template, leaving you with an artifact you can share with stakeholders.

    • Cloud Strategy Document Template
    [infographic]

    Workshop: Document Your Cloud Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Document Your Vision and Alignment

    The Purpose

    Understand and document your cloud vision and its alignment with your other strategic priorities.

    Key Benefits Achieved

    A complete understanding of your strategy, vision, alignment, and a list of success metrics that will help you find your way.

    Activities

    1.1 Record your cloud mission and vision.

    1.2 Document your cloud strategy’s alignment with other strategic plans.

    1.3 Record your cloud guiding principles.

    Outputs

    Documented strategy, vision, and alignment.

    Defined success metrics.

    2 Record Your People Strategy

    The Purpose

    Define how people, skills, and roles will contribute to the broader cloud strategy.

    Key Benefits Achieved

    Sections of the strategy that highlight skills, roles, culture, adoption, and the creation of a governance body.

    Activities

    2.1 Outline your skills and roles strategy.

    2.2 Document your approach to culture and adoption

    2.3 Create a cloud governing body.

    Outputs

    Documented people strategy.

    3 Document Governance Principles

    The Purpose

    This section facilitates governance in the cloud, developing principles that apply to architecture, integration, finance management, and more.

    Key Benefits Achieved

    Sections of the strategy that define governance principles.

    Activities

    3.1 Conduct discussion on architecture.

    3.2 Conduct discussion on integration and interoperability.

    3.3 Conduct discussion on operations management.

    3.4 Conduct discussion on cloud portfolio management.

    3.5 Conduct discussion on cloud vendor management.

    3.6 Conduct discussion on finance management.

    3.7 Conduct discussion on security.

    3.8 Conduct discussion on data controls.

    Outputs

    Documented cloud governance strategy.

    4 Formalize Your Technology Strategy

    The Purpose

    Creation of a formal cloud strategy relating to technology around provisioning, monitoring, and migration.

    Key Benefits Achieved

    Completed strategy sections of the document that cover technology areas.

    Activities

    4.1 Formalize organizational approach to monitoring.

    4.2 Document provisioning process.

    4.3 Outline migration processes and procedures.

    Outputs

    Documented cloud technology strategy.

    Further reading

    Document Your Cloud Strategy

    Get ready for the cloudy future with a consistent, proven strategy.

    Analyst perspective

    Any approach is better than no approach

    The image contains a picture of Jeremy Roberts

    Moving to the cloud is a big, scary transition, like moving from gas-powered to electric cars, or from cable to streaming, or even from the office to working from home. There are some undeniable benefits, but we must reorient our lives a bit to accommodate those changes, and the results aren’t always one-for-one. A strategy helps you make decisions about your future direction and how you should respond to changes and challenges. In Document Your Cloud Strategy we hope to help you accomplish just that: clarifying your overall mission and vision (as it relates to the cloud) and helping you develop an approach to changes in technology, people management, and, of course, governance. The cloud is not a panacea. Taken on its own, it will not solve your problems. But it can be an important tool in your IT toolkit, and you should aim to make the best use of it – whatever “best” happens to mean for you.

    Jeremy Roberts

    Research Director, Infrastructure and Operations

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    The cloud is multifaceted. It can be complicated. It can be expensive. Everyone has an opinion on the best way to proceed – and in many cases has already begun the process without bothering to get clearance from IT. The core challenge is creating a coherent strategy to facilitate your overall goals while making the best use of cloud technology, your financial resources, and your people.

    Common Obstacles

    Despite the universally agreed-upon benefit of formulating a coherent strategy, several obstacles make execution difficult:

    • Inconsistent understanding of what the cloud means
    • Inability to come to a consensus on key decisions
    • Ungoverned decision making
    • Unclear understanding of cloud roles and responsibilities

    Info-Tech’s Approach

    A cloud strategy might seem like a big project, but it’s just a series of smaller conversations. The methodology presented here is designed to facilitate those conversations, using a curated list of topics, prompts, participant lists, and sample outcomes. We have divided the strategy into four key areas:

    1. Vision and alignment
    2. People
    3. Governance
    4. Technology

    The answers might be different, but the questions are the same

    Every organization will approach the cloud differently, but they all need to ask the same questions: When will we use the cloud? What forms will our cloud usage take? How will we manage governance? What will we do about people? How will we incorporate new technology into our environment? The answers to these questions are as numerous as there are people to answer them, but the questions must be asked.

    Your challenge

    This research is designed to help organizations that are facing these challenges or looking to:

    • Ensure that the cloud strategy is complete and accurately reflects organizational goals and priorities.
    • Develop a consistent and coherent approach to adopting cloud services.
    • Design an approach to mitigate risks and challenges associated with adopting cloud services.
    • Create a shared understanding of the expected benefits of cloud services and the steps required to realize those benefits.

    Grappling with a cloud strategy is a top initiative: 43% of respondents report progressing on a cloud-first strategy as a top cloud initiative.

    Source: Flexera, 2021.

    Definition: Cloud strategy

    A document providing a systematic overview of cloud services, their appropriate use, and the steps that an organization will take to maximize value and minimize risk.

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • The cloud means different things to different people, and creating a strategy that is comprehensive enough to cover a multitude of use cases while also being written to be consumable by all stakeholders is difficult.
    • The incentives to adopt the cloud differ based on the expected benefit for the individual customer. User-led decision making and historically ungoverned deployments can make it difficult to reset expectation and align with a formal strategy.
    • Getting all the right people in a room together to agree on the key components of the strategy and the direction undertaken for each one is often difficult.

    Info-Tech’s approach

    Define Your Cloud Vision

    Vision and alignment

    • Mission and vision
    • Alignment to other strategic plans
    • Guiding principles
    • Measuring success

    Technology

    • Monitoring
    • Provisioning
    • Migration

    Governance

    • Architecture
    • Integration and interoperability
    • Operations management
    • Cloud portfolio management
    • Cloud vendor management
    • Finance management
    • Security
    • Data controls

    People

    • Skills and roles
    • Culture and adoption
    • Governing bodies

    Info-Tech’s approach

    Your cloud strategy will comprise the elements listed under “vision and alignment,” “technology,” “governance,” and “people.” The Info-Tech methodology involves breaking the strategy down into subcomponents and going through a three-step process for each one. Start by reviewing a standard set of questions and understanding the goal of the exercise: What do we need to know? What are some common considerations and best practices? Once you’ve had a chance to review, discuss your current state and any gaps: What has been done? What still needs to be done? Finally, outline how you plan to go forward: What are your next steps? Who needs to be involved?

    Review

    • What questions do we need to answer to complete the discussion of this strategy component? What does the decision look like?
    • What are some key terms and best practices we must understand before deciding?

    Discuss

    • What steps have we already taken to address this component?
    • Does anything still need to be done?
    • Is there anything we’re not sure about or need further guidance on?

    Go forward

    • What are the next steps?
    • Who needs to be involved?
    • What questions still need to be asked/answered?
    • What should the document’s wording look like?

    Info-Tech’s methodology for documenting your cloud strategy

    1. Document your vision and alignment

    2. Record your people strategy

    3. Document governance principles

    4. Formalize your technology strategy

    Phase Steps

    1. Record your cloud mission and vision
    2. Document your cloud strategy’s alignment with other strategic plans
    3. Record your cloud guiding principles
    4. Define success
    1. Outline your skills and roles strategy
    2. Document your approach to culture and adoption
    3. Create a cloud governing body

    Document official organizational positions in these governance areas:

    1. Architecture
    2. Integration and interoperability
    3. Operations management
    4. Cloud portfolio management
    5. Cloud vendor management
    6. Finance management
    7. Security
    8. Data controls
    1. Formalize organizational approach to monitoring
    2. Document provisioning process
    3. Outline migration processes and procedures

    Phase Outcomes

    Documented strategy: vision and alignment

    Documented people strategy

    Documented cloud governance strategy

    Documented cloud technology strategy

    Insight summary

    Separate strategy from tactics

    Separate strategy from tactics! A strategy requires building out the framework for ongoing decision making. It is meant to be high level and achieve a large goal. The outcome of a strategy is often a sense of commitment to the goal and better communication on the topic.

    The cloud does not exist in a vacuum

    Your cloud strategy flows from your cloud vision and should align with the broader IT strategy. It is also part of a pantheon of strategies and should exist harmoniously with other strategies – data, security, etc.

    People problems needn’t preponderate

    The cloud doesn’t have to be a great disruptor. If you handle the transition well, you can focus your people on doing more valuable work – and this is generally engaging.

    Governance is a means to an end

    Governing your deployment for its own sake will only frustrate your end users. Articulate the benefits users and the organization can expect to see and you’re more likely to receive the necessary buy-in.

    Technology isn’t a panacea

    Technology won’t solve all your problems. Technology is a force multiplier, but you will still have to design processes and train your people to fully leverage it.

    Key deliverable

    Cloud Strategy Document template

    Inconsistency and informality are the enemies of efficiency. Capture the results of the cloud strategy generation exercises in the Cloud Strategy Document template.

    The image contains a screenshot of the Cloud Strategy Document Template.
    • Record the results of the exercises undertaken as part of this blueprint in the Cloud Strategy Document template.
    • It is important to remember that not every cloud strategy will look exactly the same, but this template represents an amalgamation of best practices and cloud strategy creation honed over several years of advisory service in the space.
    • You know your audience better than anyone. If you would prefer a strategy delivered in a different way (e.g. presentation format) feel free to adapt the Cloud Vision Executive Presentation into a longer strategy presentation.
    • Emphasis is an area where you should exercise discretion as well. A cost-oriented cloud strategy, or one that prioritizes one type of cloud (e.g. SaaS) at the exclusion of others, may benefit from more focus on some areas than others, or the introduction of relevant subcategories. Include as many of these as you think will be relevant.
    • Parsimony is king – if you can distill a concept to its essence, start there. Include additional detail only as needed. You want your cloud strategy document to be read. If it’s too long or overly detailed, you’ll encounter readability issues.

    Blueprint benefits

    IT benefits

    Business benefits

    • A consistent, well-defined approach to the cloud
    • Consensus on key strategy components, including security, architecture, and integration
    • A clear path forward on skill development and talent acquisition/retention
    • A comprehensive resource for information about the organization’s approach to key strategy components
    • Predictable access to cloud services
    • A business-aligned approach to leveraging the resources available in the cloud
    • Efficient and secure consumption of cloud resources where appropriate to do so
    • Answers to questions about the cloud and how it will be leveraged in the environment

    Measure the value of this blueprint

    Don’t take our word for it:

    • Document Your Cloud Strategy has been available for several years in various forms as both a workshop and as an analyst-led guided implementation.
    • After each engagement, we send a survey that asks members how they benefited from the experience. Those who have worked through Info-Tech’s cloud strategy material have given overwhelmingly positive feedback.
    • Additionally, members reported saving between 10 and 20 days and an average of $46,499.
    • Measure the value by calculating the time saved as a result of using Info-Tech’s framework vs. a home-brewed cloud strategy alternative and by comparing the overall cost of a guided implementation or workshop with the equivalent offering from another firm. We’re confident you’ll come out ahead.

    8.8/10 Average reported satisfaction

    13 Days Average reported time savings

    $46,499 Average cost savings

    Executive Brief Case Study

    INDUSTRY: Pharmaceuticals

    SOURCE: Info-Tech workshop

    Pharmaceutical company

    The unnamed pharmaceutical company that is the subject of this case study was looking to make the transition to the cloud. In the absence of a coherent strategy, the organization had a few cloud deployments with no easily discernable overall approach. Representatives of several distinct functions (legal, infrastructure, data, etc.) all had opinions on the uses and abuses of cloud services, but it had been difficult to round everyone up and have the necessary conversations. As a result, the strategy exercise had not proceeded in a speedy or well-governed way. This lack of strategic readiness presented a roadblock to moving forward with the cloud strategy and to work with the cloud implementation partner, tasked with execution.

    Results

    The company engaged Info-Tech for a four-day workshop on cloud strategy documentation. Over the course of four days, participants drawn from across the organization discussed the strategic components and generated consensus statements and next steps. The team was able to formalize the cloud strategy and described the experience as saving 10 days.

    Example output: Document your cloud strategy workshop exercise

    The image contains an example of Document your cloud streatgy workshop exercise.

    Anything in green, the team was reasonably sure they had good alignment and next steps. Those yellow flags warranted more discussion and were not ready for documentation.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Document your vision and alignment

    Record your people strategy

    Document governance principles

    Formalize your technology strategy

    Call #1: Review existing vision/strategy documentation.

    Call #2: Review progress on skills, roles, and governance bodies.

    Call #3: Work through integration, architecture, finance management, etc. based on reqs. (May be more than one call.)

    Call #4: Discuss challenges with monitoring, provisioning, and migration as-needed.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is 4 to 6 calls over the course of 1 to 3 months

    Workshop Overview

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Answer
    “so what?”

    Define the
    IT target state

    Assess the IT
    current state

    Bridge the gap and
    create the strategy

    Next steps and
    wrap-up (offsite)

    Activities

    1.1 Introduction

    1.2 Discuss cloud mission and vision

    1.3 Discuss alignment with other strategic plans

    1.4 Discuss guiding principles

    1.5 Define success metrics

    2.1 Discuss skills and roles

    2.2 Review culture and adoption

    2.3 Discuss a cloud governing body

    2.4 Review architecture position

    2.5 Discuss integration and interoperability

    3.1 Discuss cloud operations management

    3.2 Review cloud portfolio management

    3.3 Discuss cloud vendor management

    3.4 Discuss cloud finance management

    3.5 Discuss cloud security

    4.1 Review and formalize data controls

    4.2 Design a monitoring approach

    4.3 Document the workload provisioning process

    4.4 Outline migration processes and procedures

    5.1 Populate the Cloud Strategy Document

    Deliverables

    Formalized cloud mission and vision, along with alignment with strategic plans, guiding principles, and success metrics

    Position statement on skills and roles, culture and adoption, governing bodies, architecture, and integration/interoperability

    Position statements on cloud operations management, portfolio management, vendor management, finance management, and cloud security

    Position statements on data controls, monitoring, provisioning, and migration

    Completed Cloud Strategy Document

    Phase 1

    Document Your Vision and Alignment

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Document your mission and vision

    1.2 Document alignment to other strategic plans

    1.3 Document guiding principles

    1.4 Document success metrics

    2.1 Define approach to skills and roles

    2.2 Define approach to culture and adoption

    2.3 Define cloud governing bodies

    3.1 Define architecture direction

    3.2 Define integration approach

    3.3 Define operations management process

    3.4 Define portfolio management direction

    3.5 Define vendor management direction

    3.6 Document finance management tactics

    3.7 Define approach to cloud security

    3.8 Define data controls in the cloud

    4.1 Define cloud monitoring strategy

    4.2 Define cloud provisioning strategy

    4.3 Define cloud migration strategy

    This phase will walk you through the following activities:

    1. Record your cloud mission and vision
    2. Document your cloud strategy’s alignment with other strategic plans
    3. Record your cloud guiding principles
    4. Define success

    This phase has the following outcome:

    • Documented strategy: vision and alignment

    Record your mission and vision

    Build on the work you’ve already done

    Before formally documenting your cloud strategy, you should ensure that you have a good understanding of your overall cloud vision. How do you plan to leverage the cloud? What goals are you looking to accomplish? How will you distribute your workloads between different cloud service models (SaaS, PaaS, IaaS)? What will your preferred delivery model be (public, private, hybrid)? Will you support your cloud deployment internally or use the services of various consultants or managed service providers?

    The answers to these questions will inform the first section of your cloud strategy. If you haven’t put much thought into this or think you could use a deep dive on the fundamentals of your cloud vision and cloud archetypes, consider reviewing Define Your Cloud Vision, the companion blueprint to this one.

    Once you understand your cloud vision and what you’re trying to accomplish with your cloud strategy, this phase will walk you through aligning the strategy with other strategic initiatives. What decisions have others made that will impact the cloud strategy (or that the cloud strategy will impact)? Who must be involved/informed? What callouts must be involved at what point? Do users have access to the appropriate strategic documentation (and would they understand it if they did)?

    You must also capture some guiding principles. A strategy by its nature provides direction, helping readers understand the decisions they should make and why those decisions align with organizational interests. Creating some top-level principles is a useful exercise because those principles facilitate comprehension and ensure the strategy’s applicability.

    Finally, this phase will walk you through the process of measuring success. Once you know where you’d like to go, the principles that underpin your direction, and how your cloud strategy figures into the broader strategic pantheon, you should record what success actually means. If you’re looking to save money, overall cost should be a metric you track. If the cloud is all about productivity, generate appropriate productivity metrics. If you’re looking to expand into new technology or close a datacenter, you will need to track output specific to those overall goals.

    Review: mission and vision

    The overall organizational mission is a key foundational element of the cloud strategy. If you don’t understand where you’re going, how can you begin the journey to get there? This section of the strategy has four key parts that you should understand and incorporate into the beginning of the strategy document. If you haven’t already, review Define Your Cloud Vision for instructions on how to generate these elements.

    1. Cloud vision statement: This is a succinct encapsulation of your overall perspective on the suitability of cloud services for your environment – what you hope to accomplish. The ideal statement includes a scope (who/what does the strategy impact?), a goal (what will it accomplish?), and a key differentiator (what will make it happen?). This is an example: “[Organization] will leverage public cloud solutions and retire existing datacenter and colocation facilities. This transition will simplify infrastructure administration, support and security, while modernizing legacy infrastructure and reducing the need for additional capital expenditure.” You might also consider reviewing your overall cloud archetype (next slide) and including the output of that exercise in the document

    2. Service model decision framework: Services can be provided as software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS), or they can be colocated or remain on premises. Not all cloud service models serve the same purpose or provide equal value in all circumstances. Understanding how you plan to take advantage of these distinct service models is an important component of the cloud strategy. In this section of the strategy, a rubric that captures the characteristics of the ideal workload for each of the named service models, along with some justification for the selection, is essential. This is a core component of Define Your Cloud Vision, and if you would like to analyze individual workloads, you can use the Cloud Vision Workbook for that purpose.

    3. Delivery model decision framework: Just as there are different cloud service models that have unique value propositions, there are several unique cloud delivery models as well, distinguished by ownership, operation, and customer base. Public clouds are the purview of third-party providers who make them available to paying customers. Private clouds are built for the exclusive use of a designated organization or group of organizations with internal clients to serve. Hybrid clouds involve the use of multiple, interoperable delivery models (interoperability is the key term here), while multi-cloud deployment models incorporate multiple delivery and service models into a single coherent strategy. What will your preferred delivery model be? Why?

    4. Support model decision framework: Once you have a service model nailed down and understand how you will execute on the delivery, the question then becomes about how you will support your cloud deployment going forward. Broadly speaking, you can choose to manage your deployment in house using internal resources (e.g. staff), to use managed service providers for ongoing support, or to hire consultants to handle specific projects/tasks. Each approach has its strengths and weaknesses, and many cloud customers will deploy multiple support models across time and different workloads. A foundational perspective on the support model is a key component of the cloud vision and should appear early in the strategy.

    Understand key cloud concepts: Archetype

    Once you understand the value of the cloud, your workloads’ general suitability for the cloud, and your proposed risks and mitigations, the next step is to define your cloud archetype. Your organization’s cloud archetype is the strategic posture that IT adopts to best support the organization’s goals. Info-Tech’s model recognizes seven archetypes, divided into three high-level archetypes. After consultation with your stakeholders, and based on the results of the suitability and risk assessment activities, define your archetype. The archetype feeds into the overall cloud vision and provides simple insight into the cloud future state for all stakeholders. The cloud vision itself is captured in a “vision statement,” a short summary of the overall approach that includes the overall cloud archetype.

    The image contains an arrow facing vertically up. The pointed end of the arrow is labelled more cloud, and the bottom of the arrow is labelled less cloud.

    We can best support the organization’s goals by:

    Cloud-Focused

    Cloud-Centric

    Providing all workloads through cloud delivery.

    Cloud-First

    Using the cloud as our default deployment model. For each workload, we should ask “why NOT cloud?”

    Cloud-Opportunistic

    Hybrid

    Enabling the ability to transition seamlessly between on-premises and cloud resources for many workloads.

    Integrated

    Combining cloud and traditional infrastructure resources, integrating data and applications through APIs or middleware.

    Split

    Using the cloud for some workloads and traditional infrastructure resources for others.

    Cloud-Averse

    Cloud-Light

    Using traditional infrastructure resources and limiting our use of the cloud to when it is absolutely necessary.

    Anti-Cloud

    Using traditional infrastructure resources and avoiding the use of cloud wherever possible.

    Build Your Data Quality Program

    • Buy Link or Shortcode: {j2store}127|cart{/j2store}
    • member rating overall impact (scale of 10): 9.1/10 Overall Impact
    • member rating average dollars saved: $40,241 Average $ Saved
    • member rating average days saved: 33 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Experiencing the pitfalls of poor data quality and failing to benefit from good data quality, including:
      • Unreliable data and unfavorable output.
      • Inefficiencies and costly remedies.
      • Dissatisfied stakeholders.
    • The chances of successful decision-making capabilities are hindered with poor data quality.

    Our Advice

    Critical Insight

    • Address the root causes of your data quality issues and form a viable data quality program.
      • Be familiar with your organization’s data environment and business landscape.
      • Prioritize business use cases for data quality fixes.
      • Fix data quality issues at the root cause to ensure proper foundation for your data to flow.
    • It is important to sustain best practices and grow your data quality program.

    Impact and Result

    • Implement a set of data quality initiatives that are aligned with overall business objectives and aimed at addressing data practices and the data itself.
    • Develop a prioritized data quality improvement project roadmap and long-term improvement strategy.
    • Build related practices such as artificial intelligence and analytics with more confidence and less risk after achieving an appropriate level of data quality.

    Build Your Data Quality Program Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should establish a data quality program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define your organization’s data environment and business landscape

    Learn about what causes data quality issues, how to measure data quality, what makes a good data quality practice in relation to your data and business environments.

    • Business Capability Map Template

    2. Analyze your priorities for data quality fixes

    Determine your business unit priorities to create data quality improvement projects.

    • Data Quality Problem Statement Template
    • Data Quality Practice Assessment and Project Planning Tool

    3. Establish your organization’s data quality program

    Revisit the root causes of data quality issues and identify the relevant root causes to the highest priority business unit, then determine a strategy for fixing those issues.

    • Data Lineage Diagram Template
    • Data Quality Improvement Plan Template

    4. Grow and sustain your data quality practices

    Identify strategies for continuously monitoring and improving data quality at the organization.

    Infographic

    Workshop: Build Your Data Quality Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Your Organization’s Data Environment and Business Landscape

    The Purpose

    Evaluate the maturity of the existing data quality practice and activities.

    Assess how data quality is embedded into related data management practices.

    Envision a target state for the data quality practice.

    Key Benefits Achieved

    Understanding of the current data quality landscape

    Gaps, inefficiencies, and opportunities in the data quality practice are identified

    Target state for the data quality practice is defined

    Activities

    1.1 Explain approach and value proposition

    1.2 Detail business vision, objectives, and drivers

    1.3 Discuss data quality barriers, needs, and principles

    1.4 Assess current enterprise-wide data quality capabilities

    1.5 Identify data quality practice future state

    1.6 Analyze gaps in data quality practice

    Outputs

    Data Quality Management Primer

    Business Capability Map Template

    Data Culture Diagnostic

    Data Quality Diagnostic

    Data Quality Problem Statement Template

    2 Create a Strategy for Data Quality Project 1

    The Purpose

    Define improvement initiatives

    Define a data quality improvement strategy and roadmap

    Key Benefits Achieved

    Improvement initiatives are defined

    Improvement initiatives are evaluated and prioritized to develop an improvement strategy

    A roadmap is defined to depict when and how to tackle the improvement initiatives

    Activities

    2.1 Create business unit prioritization roadmap

    2.2 Develop subject areas project scope

    2.3 By subject area 1 data lineage analysis, root cause analysis, impact assessment, and business analysis

    Outputs

    Business Unit Prioritization Roadmap

    Subject area scope

    Data Lineage Diagram

    3 Create a Strategy for Data Quality Project 2

    The Purpose

    Define improvement initiatives

    Define a data quality improvement strategy and roadmap

    Key Benefits Achieved

    Improvement initiatives are defined

    Improvement initiatives are evaluated and prioritized to develop an improvement strategy

    A roadmap is defined to depict when and how to tackle the improvement initiatives

    Activities

    3.1 Understand how data quality management fits in with the organization’s data governance and data management programs

    3.2 By subject area 2 data lineage analysis, root cause analysis, impact assessment, and business analysis

    Outputs

    Data Lineage Diagram

    Root Cause Analysis

    Impact Analysis

    4 Create a Strategy for Data Quality Project 3

    The Purpose

    Determine a strategy for fixing data quality issues for the highest priority business unit

    Key Benefits Achieved

    Strategy defined for fixing data quality issues for highest priority business unit

    Activities

    4.1 Formulate strategies and actions to achieve data quality practice future state

    4.2 Formulate a data quality resolution plan for the defined subject area

    4.3 By subject area 3 data lineage analysis, root cause analysis, impact assessment, and business analysis

    Outputs

    Data Quality Improvement Plan

    Data Lineage Diagram

    5 Create a Plan for Sustaining Data Quality

    The Purpose

    Plan for continuous improvement in data quality

    Incorporate data quality management into the organization’s existing data management and governance programs

    Key Benefits Achieved

    Sustained and communicated data quality program

    Activities

    5.1 Formulate metrics for continuous tracking of data quality and monitoring the success of the data quality improvement initiative

    5.2 Workshop Debrief with Project Sponsor

    5.3 Meet with project sponsor/manager to discuss results and action items

    5.4 Wrap up outstanding items from the workshop, deliverables expectations, GIs

    Outputs

    Data Quality Practice Improvement Roadmap

    Data Quality Improvement Plan (for defined subject areas)

    Further reading

    Build Your Data Quality Program

    Quality Data Drives Quality Business Decisions

    Executive Brief

    Analyst Perspective

    Get ahead of the data curve by conquering data quality challenges.

    Regardless of the driving business strategy or focus, organizations are turning to data to leverage key insights and help improve the organization’s ability to realize its vision, key goals, and objectives.

    Poor quality data, however, can negatively affect time-to-insight and can undermine an organization’s customer experience efforts, product or service innovation, operational efficiency, or risk and compliance management. If you are looking to draw insights from your data for decision making, the quality of those insights is only as good as the quality of the data feeding or fueling them.

    Improving data quality means having a data quality management practice that is sustainably successful and appropriate to the use of the data, while evolving to keep pace with or get ahead of changing business and data landscapes. It is not a matter of fixing one data set at a time, which is resource and time intensive, but instead identifying where data quality consistently goes off the rails, and creating a program to improve the data processes at the source.

    Crystal Singh

    Research Director, Data and Analytics

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Your organization is experiencing the pitfalls of poor data quality, including:

    • Unreliable data and unfavorable output.
    • Inefficiencies and costly remedies.
    • Dissatisfied stakeholders.

    Poor data quality hinders successful decision making.

    Common Obstacles

    Not understanding the purpose and execution of data quality causes some disorientation with your data.

    • Failure to realize the importance/value of data quality.
    • Unsure of where to start with data quality.
    • Lack of investment in data quality.

    Organizations tend to adopt a project mentality when it comes to data quality instead of taking the strategic approach that would be all-around more beneficial in the long term.

    Info-Tech’s Approach

    Address the root causes of your data quality issues by forming a viable data quality program.

    • Be familiar with your organization’s data environment and business landscape.
    • Prioritize business use cases for data quality fixes.
    • Fixing data quality issues at the root cause to ensure a proper foundation for your data to flow.

    It is important to sustain best practices and grow your data quality program.

    Info-Tech Insight

    Fix data quality issues as close as possible to the source of data while understanding that business use cases will each have different requirements and expectations from data quality.

    Data is the foundation of your organization’s knowledge

    Data enables your organization to make decisions.

    Reliable data is needed to facilitate data consumers at all levels of the enterprise.

    Insights, knowledge, and information are needed to inform operational, tactical, and strategic decision-making processes. Data and information are needed to manage the business and empower business processes such as billing, customer touchpoints, and fulfillment.

    Raw Data

    Business Information

    Actionable Insights

    Data should be at the foundation of your organization’s evolution. The transformational insights that executives are constantly seeking can be uncovered with a data quality practice that makes high-quality, trustworthy information readily available to the business users who need it.

    98% of companies use data to improve customer experience. (Experian Data Quality, 2019)

    High-Level Data Architecture

    The image is a graphic, which at the top shows different stages of data, and in the lower part of the graphic shows the data processes.

    Build Your Data Quality Program

    1. Data Quality & Data Culture Diagnostics Business Landscape Exercise
    2. Business Strategy & Use Cases
    3. Prioritize Use Cases With Poor Quality

    Info-Tech Insight

    As data is ingested, integrated, and maintained in the various streams of the organization's system and application architecture, there are multiple points where the quality of the data can degrade.

    1. Understand the organization's data culture and data quality environment across the business landscape.
    2. Prioritize business use cases with poor data quality.
    3. For each use case, identify data quality issues and requirements throughout the data pipeline.
    4. Fix data quality issues at the root cause.
    5. As data flow through quality assurance monitoring checkpoints, monitor data to ensure good quality output.

    Insight:

    Proper application of data quality dimensions throughout the data pipeline will result in superior business decisions.

    Data quality issues can occur at any stage of the data flow.

    The image shows the flow of data through various stages: Data Creation; Data Ingestion; Data Accumulation and Engineering; Data Delivery; and Reporting & Analytics. At the bottom, there are two bars: the left one labelled Fix data quality root causes here...; and the right reads: ...to prevent expensive cures here.

    The image is a legend that accompanies the data flow graphic. It indicates that a white and green square icon indicates Data quality dimensions; a red cube indicates a potential point of data quality degradation; the pink square indicates Root cause of poor data quality; and a green flag indicates Quality Assurance Monitoring.

    Prevent the domino effect of poor data quality

    Data is the foundation of decisions made at data-driven organizations.

    Therefore, if there are problems with the organization’s underlying data, this can have a domino effect on many downstream business functions.

    Let’s use an example to illustrate the domino effect of poor data quality.

    Organization X is looking to migrate their data to a single platform, System Y. After the migration, it has become apparent that reports generated from this platform are inconsistent and often seem wrong. What is the effect of this?

    1. Time must be spent on identifying the data quality issues, and often manual data quality fixes are employed. This will extend the time to deliver the project that depends on system Y by X months.
    2. To repair these issues, the business needs to contract two additional resources to complete the unforeseen work. The new resources cost $X each, as well as additional infrastructure and hardware costs.
    3. Now, the strategic objectives of the business are at risk and there is a feeling of mistrust in the new system Y.

    Three key challenges impacting the ability to deliver excellent customer experience

    30% Poor data quality

    30% Method of interaction changing

    30% Legacy systems or lack of new technology

    95% Of organizations indicated that poor data quality undermines business performance.

    (Source: Experian Data Quality, 2019)

    Maintaining quality data will support more informed decisions and strategic insight

    Improving your organization’s data quality will help the business realize the following benefits:

    Data-Driven Decision Making

    Business decisions should be made with a strong rationale. Data can provide insight into key business questions, such as, “How can I provide better customer satisfaction?”

    89% Of CIOs surveyed say lack of quality data is an obstacle to good decision making. (Larry Dignan, CIOs juggling digital transformation pace, bad data, cloud lock0in and business alignment, 2020)

    Customer Intimacy

    Improve marketing and the customer experience by using the right data from the system of record to analyze complete customer views of transactions, sentiments, and interactions.

    94% Percentage of senior IT leaders who say that poor data quality impinges business outcomes. (Clint Boulton, Disconnect between CIOs and LOB managers weakens data quality, 2016)

    Innovation Leadership

    Gain insights on your products, services, usage trends, industry directions, and competitor results to support decisions on innovations, new products, services, and pricing.

    20% Businesses lose as much as 20% of revenue due to poor data quality. (RingLead Data Management Solutions, 10 Stats About Data Quality I Bet You Didn’t Know)

    Operational Excellence

    Make sure the right solution is delivered rapidly and consistently to the right parties for the right price and cost structure. Automate processes by using the right data to drive process improvements.

    10-20% The implementation of data quality initiatives can lead to reductions in corporate budget of up to 20%. (HaloBI, 2015)

    However, maintaining data quality is difficult

    Avoid these pitfalls to get the true value out of your data.

    1. Data debt drags down ROI – a high degree of data debt will hinder you from attaining the ROI you’re expecting.
    2. Lack of trust means lack of usage – a lack of confidence in data results in a lack of data usage in your organization, which negatively effects strategic planning, KPIs, and business outcomes.
    3. Strategic assets become a liability – bad data puts your business at risk of failing compliance standards, which could result in you paying millions in fines.
    4. Increased costs and inefficiency – time spent fixing bad data means less workload capacity for your important initiatives and the inability to make data-based decisions.
    5. Barrier to adopting data-driven tech – emerging technologies, such as predictive analytics and artificial intelligence, rely on quality data. Inaccurate, incomplete, or irrelevant data will result in delays or a lack of ROI.
    6. Bad customer experience – Running your business on bad data can hinder your ability to deliver to your customers, growing their frustration, which negatively impacts your ability to maintain your customer base.

    Info-Tech Insight

    Data quality suffers most at the point of entry. This is one of the causes of the domino effect of data quality – and can be one of the most costly forms of data quality errors due to the error propagation. In other words, fix data ingestion, whether through improving your application and database design or improving your data ingestion policy, and you will fix a large majority of data quality issues.

    Follow Our Data & Analytics Journey

    Data Quality is laced into Data Strategy, Data Management, and Data Governance.

    • Data Strategy
      • Data Management
        • Data Quality
        • Data Governance
          • Data Architecture
            • MDM
            • Data Integration
            • Enterprise Content Management
            • Information Lifecycle Management
              • Data Warehouse/Lake/Lakehouse
                • Reporting and Analytics
                • AI

    Data quality is rooted in data management

    Extract Maximum Benefit Out of Your Data Quality Management.

    • Data management is the planning, execution, and oversight of policies, practices, and projects that acquire, control, protect, deliver, and enhance the value of data and information assets (DAMA, 2009).
    • In other words, getting the right information, to the right people, at the right time.
    • Data quality management exists within each of the data practices, information dimensions, business resources, and subject areas that comprise the data management framework.
    • Within this framework, an effective data quality practice will replace ad hoc processes with standardized practices.
    • An effective data quality practice cannot succeed without proper alignment and collaboration across this framework.
    • Alignment ensures that the data quality practice is fit for purpose to the business.

    The DAMA DMBOK2 Data Management Framework

    • Data Governance
      • Data Quality
      • Data Architecture
      • Data Modeling & Design
      • Data Storage & Operations
      • Data Security
      • Data Integration & Interoperability
      • Documents & Content
      • Reference & Master Data
      • Data Warehousing & Business Intelligence
      • Meta-data

    (Source: DAMA International)

    Related Info-Tech Research

    Build a Robust and Comprehensive Data Strategy

    • People often think that the main problems they need to fix first are related to data quality when the issues transpire at a much larger level. This blueprint is the key to building and fostering a data-driven culture.

    Create a Data Management Roadmap

    • Refer to this blueprint to understand data quality in the context of data disciplines and methods for improving your data management capabilities.

    Establish Data Governance

    • Define an effective data governance strategy and ensure the strategy integrates well with data quality with this blueprint.

    Info-Tech’s methodology for Data Quality

    Phase Steps 1. Define Your Organization’s Data Environment and Business Landscape 2. Analyze Your Priorities for Data Quality Fixes 3. Establish Your Organization’s Data Quality Program 4. Grow and Sustain Your Data Quality Practice
    Phase Outcomes This step identifies the foundational understanding of your data and business landscape, the essential concepts around data quality, as well as the core capabilities and competencies that IT needs to effectively improve data quality. To begin addressing specific, business-driven data quality projects, you must identify and prioritize the data-driven business units. This will ensure that data improvement initiatives are aligned to business goals and priorities. After determining whose data is going to be fixed based on priority, determine the specific problems that they are facing with data quality, and implement an improvement plan to fix it. Now that you have put an improvement plan into action, make sure that the data quality issues don’t keep cropping up. Integrate data quality management with data governance practices into your organization and look to grow your organization’s overall data maturity.

    Info-Tech Insight

    “Data Quality is in the eyes of the beholder.”– Igor Ikonnikov, Research Director

    Data quality means tolerance, not perfection

    Data from Info-Tech’s CIO Business Vision Diagnostic, which represents over 400 business stakeholders, shows that data quality is very important when satisfaction with data quality is low.

    However, when data quality satisfaction hit a threshold, it became less important.

    The image is a line graph, with the X-axis labelled Satisfaction with Data Quality, and the Y axis labelled Rated Importance for Data Quality. The line begins high, and then descends. There is text inside the graph, which is transcribed below.

    Respondents were asked “How satisfied are you with the quality, reliability, and effectiveness of the data you use to manage your group?” as well as to rank how important data quality was to their organization.

    When the business satisfaction of data quality reached a threshold value of 71-80%, the rated importance reached its lowest value.

    Info-Tech Insight

    Data needs to be good, but truly spectacular data may go unnoticed.

    Provide the right level of data quality, with the appropriate effort, for the correct usage. This blueprint will help you to determine what “the right level of data quality” means, as well as create a plan to achieve that goal for the business.

    Data Roles and Responsibilities

    Data quality occurs through three main layers across the data lifecycle

    Data Strategy

    Data Strategy should contain Data Quality as a standard component.

    ← Data Quality issues can occur throughout at any stage of the data flow →

    DQ Dimensions

    Timeliness – Representation – Usability – Consistency – Completeness – Uniqueness – Entry Quality – Validity – Confidence – Importance

    Source System Layer

    • Data Resource Manager/Collector: Enters data into a database and ensures that data collection sources are accurate

    Data Transformation Layer

    • ETL Developer: Designs data storage systems
    • Data Engineer: Oversees data integrations, data warehouses and data lakes, data pipelines
    • Database Administrator: Manages database systems, ensures they meet SLAs, performances, backups
    • Data Quality Engineer: Finds and cleanses bad data in data sources, creates processes to prevent data quality problems

    Consumption Layer

    • Data Scientist: Gathers and analyses data from databases and other sources, runs models, and creates data visualizations for users
    • BI Analyst: Evaluates and mines complex data and transforms it into insights that drive business value. Uses BI software and tools to analyze industry trends and create visualizations for business users
    • Data Analyst: Extracts data from business systems, analyzes it, and creates reports and dashboards for users
    • BI Engineer: Documents business needs on data analysis and reporting and develops BI systems, reports, and dashboards to support them
    Data Creation → [SLA] Data Ingestion [ QA] →Data Accumulation & Engineering → [SLA] Data Delivery [QA] →Reporting & Analytics
    Fix Data Quality root causes here… to prevent expensive cures here.

    Executive Brief Case Study

    Industry: Healthcare

    Source: Primary Info-Tech Research

    Align source systems to maximize business output.

    A healthcare insurance agency faced data quality issues in which a key business use case was impacted negatively. Business rules were not well defined, and default values instead of real value caused a concern. When dealing with multiple addresses, data was coming from different source systems.

    The challenge was to identify the most accurate address, as some were incomplete, and some lacked currency and were not up to date. This especially challenged a key business unit, marketing, to derive business value in performing key activities by being unable to reach out to existing customers to advertise any additional products.

    For this initiative, this insurance agency took an economic approach by addressing those data quality issues using internal resources.

    Results

    Without having any MDM tools or having a master record or any specific technology relating to data quality, this insurance agency used in-house development to tackle those particular issues at the source system. Data quality capabilities such as data profiling were used to uncover those issues and address them.

    “Data quality is subjective; you have to be selective in terms of targeting the data that matters the most. When getting business tools right, most issues will be fixed and lead to achieving the most value.” – Asif Mumtaz, Data & Solution Architect

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostic and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3 Phase 4
    • Call #1: Learn about the concepts of data quality and the common root causes of poor data quality.
    • Call #2: Identify the core capabilities of IT for improving data quality on an enterprise scale.
    • Call #3: Determine which business units use data and require data quality remediation.
    • Call #4: Create a plan for addressing business unit data quality issues according to priority of the business units based on value and impact of data.
    • Call #5: Revisit the root causes of data quality issues and identify the relevant root causes to the highest priority business unit.
    • Call #6: Determine a strategy for fixing data quality issues for the highest priority business unit.
    • Call #7: Identify strategies for continuously monitoring and improving data quality at the organization.
    • Call #8: Learn how to incorporate data quality practices in the organization’s larger data management and data governance frameworks.
    • Call #9: Summarize results and plan next steps on how to evolve your data landscape.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between eight to twelve calls over the course of four to six months.

    Workshop Overview

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Define Your Organization’s Data Environment and Business Landscape Create a Strategy for Data Quality Project 1 Create a Strategy for Data Quality Project 2 Create a Strategy for Data Quality Project 3 Create a Plan for Sustaining Data Quality
    Activities
    1. Explain approach and value proposition.
    2. Detail business vision, objectives, and drivers.
    3. Discuss data quality barriers, needs, and principles.
    4. Assess current enterprise-wide data quality capabilities.
    5. Identify data quality practice future state.
    6. Analyze gaps in data quality practice.
    1. Create business unit prioritization roadmap.
    2. Develop subject areas project scope.
    3. By subject area 1:
    • Data lineage analysis
    • Root cause analysis
    • Impact assessment
    • Business analysis
    1. Understand how data quality management fits in with the organization’s data governance and data management programs.
    2. By subject area 2:
    • Data lineage analysis
    • Root cause analysis
    • Impact assessment
    • Business analysis
    1. Formulate strategies and actions to achieve data quality practice future state.
    2. Formulate data quality resolution plan for defined subject area.
    3. By subject area 3:
    • Data lineage analysis
    • Root cause analysis
    • Impact assessment
    • Business analysis
    1. Formulate metrics for continuous tracking of data quality and monitoring the success of the data quality improvement initiative.
    2. Workshop Debrief with Project Sponsor.
    • Meet with project sponsor/manager to discuss results and action items.
    • Wrap up outstanding items from the workshop, deliverables expectations, GIs.
    Deliverables
    1. Data Quality Management Primer
    2. Business Capability Map Template
    3. Data Culture Diagnostic
    4. Data Quality Diagnostic
    5. Data Quality Problem Statement Template
    1. Business Unit Prioritization Roadmap
    2. Subject area scope
    3. Data Lineage Diagram
    1. Data Lineage Diagram
    2. Root Cause Analysis
    3. Impact Analysis
    1. Data Lineage Diagram
    2. Data Quality Improvement Plan
    1. Data Quality Practice Improvement Roadmap
    2. Data Quality Improvement Plan (for defined subject areas)

    Phase 1

    Define Your Organization’s Data Environment and Business Landscape

    Build Your Data Quality Program

    Data quality is a methodology and must be treated as such

    A comprehensive data quality practice includes appropriate business requirements gathering, planning, governance, and oversight capabilities, as well as empowering technologies for properly trained staff, and ongoing development processes.

    Some common examples of appropriate data management methodologies for data quality are:

    • The data quality team has the necessary competencies and resources to perform the outlined workload.
    • There are processes that exist for continuously evaluating data quality performance capabilities.
    • Improvement strategies are designed to increase data quality performance capabilities.
    • Policies and procedures that govern data quality are well-documented, communicated, followed, and updated.
    • Change controls exist for revising policies and procedures, including communication of updates and changes.
    • Self-auditing techniques are used to ensure business-IT alignment when designing or recalibrating strategies.

    Effective data quality practices coordinate with other overarching data disciplines, related data practices, and strategic business objectives.

    “You don’t solve data quality with a Band-Aid; you solve it with a methodology.” – Diraj Goel, Growth Advisor, BC Tech

    Data quality can be defined by four key quality indicators

    Similar to measuring the acidity of a substance with a litmus test, the quality of your data can be measured using a simple indicator test. As you learn about common root causes of data quality problems in the following slides, think about these four quality indicators to assess the quality of your data:

    • Completeness – Closeness to the correct value. Encompasses accuracy, consistency, and comparability to other databases.
    • Usability – The degree to which data meets current user needs. To measure this, you must determine if the user is satisfied with the data they are using to complete their business functions.
    • Timeliness – Length of time between creation and availability of data.
    • Accessibility – How easily a user can access and understand the data (including data definitions and context). Interpretability can also be used to describe this indicator.

    Info-Tech Insight

    Quality is a relative term. Data quality is measured in terms of tolerance. Perfect data quality is both impossible and a waste of time and effort.

    How to get investment for your data quality program

    Follow these steps to convince leadership of the value of data quality:

    “You have to level with people, you cannot just start talking with the language of data and expect them to understand when the other language is money and numbers.” – Izabela Edmunds, Information Architect at Mott MacDonald

    1. Perform Phases 0 & 1 of this blueprint as this will offer value in carrying out the following steps.
    2. Build credibility. Show them your understanding of data and how it aligns to the business.
    3. Provide tangible evidence of how significant business use cases are impacted by poor quality data.
    4. Present the ROI of fixing the data quality issues you have prioritized.
    5. Explain how the data quality program will be established, implemented, and sustained.
    6. Prove the importance of fixing data quality issues at the source and how it is the most efficient, effective, and cost-friendly solution.

    Phase 1 deliverables

    Each of these deliverables serve as inputs to detect key outcomes about your organization and to help complete this blueprint:

    1. Data Culture Diagnostic

    Use this report to understand where your organization lies across areas relating to data culture.

    While the Quality & Trust area of the report might be most prevalent to this blueprint, this diagnostic may point out other areas demanding more attention.

    Please speak to your account manager for access

    2. Business Capability Map Template

    Perform this process to understand the capabilities that enable specific value streams. The output of this deliverable is a high-level view of your organization’s defined business capabilities.

    Download this tool

    Info-Tech Insight

    Understanding your data culture and business capabilities are foundational to starting the journey of data quality improvement.

    Key deliverable:

    3. Data Quality Diagnostic

    The Data Quality Report is designed to help you understand, assess, and improve key organizational data quality issues. This is where respondents across various areas in the organization can assess Data Quality across various dimensions.

    Download this tool

    Data Quality Diagnostic Value

    Prioritize business use cases with our data quality dimensions.

    • Complete this diagnostic for each major business use case. The output from the Data Culture Diagnostic and the Business Capability Map should help you understand which use cases to address.
    • Involve all key stakeholders involved in the business use case. There may be multiple business units involved in a single use case.
    • Prioritize the business use cases that need the most attention pertaining to data quality by comparing the scores of the Importance and Confidence data quality dimensions.

    If there are data elements that are considered of high importance and low confidence, then they must be prioritized.

    Sample Scorecard

    The image shows a screen capture of a scorecard, with sample information filled in.

    The image shows a screen capture of a scorecard, with sample information filled in.

    Poor data quality develops due to multiple root causes

    After you get to know the properties of good quality data, understand the underlying causes of why those indicators can point to poor data quality.

    If you notice that the usability, completeness, timeliness, or accessibility of the organization’s data is suffering, one or more of the following root causes are likely plaguing your data:

    Common root causes of poor data quality, through the lens of Info-Tech’s Five-Tier Data Architecture:

    The image shows a graphic of Info-Tech's Five-Tier Data Architecture, with root causes of poor data quality identified. In the data creation and ingestion stages, the root causes are identified as Poor system/application design, Poor database design, Inadequate enterprise integration. The root causes identified in the latter stages are: Absence of data quality policies, procedures, and standards, and Incomplete/suboptimal business processes

    These root causes of poor data quality are difficult to avoid, not only because they are often generated at an organization’s beginning stages, but also because change can be difficult. This means that the root causes are often propagated through stale or outdated business processes.

    Data quality problems root cause #1:

    Poor system or application design

    Application design plays one of the largest roles in the quality of the organization’s data. The proper design of applications can prevent data quality issues that can snowball into larger issues downstream.

    Proper ingestion is 90% of the battle. An ounce of prevention is worth a pound of cure. This is true in many different topics, and data quality is one of them. Designing an application so that data gets entered properly, whether by internal staff or external customers, is the single most effective way to prevent data quality issues.

    Some common causes of data quality problems at the application/system level include:

    • Too many open fields (free-form text fields that accept a variety of inputs).
    • There are no lookup capabilities present. Reference data should be looked up instead of entered.
    • Mandatory fields are not defined, resulting in blank fields.
    • No validation of data entries before writing to the underlying database.
    • Manual data entry encourages human error. This can be compounded by poor application design that facilitates the incorrect data entry.

    Data quality problems root cause #2:

    Poor database design

    Database design also affects data quality. How a database is designed to handle incoming data, including the schema and key identification, can impact the integrity of the data used for reporting and analytics.

    The most common type of database is the relational database. Therefore, we will focus on this type of database.

    When working with and designing relational databases, there are some important concepts that must be considered.

    Referential integrity is a term that is important for the design of relational database schema, and indicates that table relationships must always be consistent.

    For table relationships to be consistent, primary keys (unique value for each row) must uniquely identify entities in columns of the table. Foreign keys (field that is defined in a second table but refers to the primary key in the first table) must agree with the primary key that is referenced by the foreign key. To maintain referential integrity, any updates must be propagated to the primary parent key.

    Info-Tech Insight

    Other types of databases, including databases with unstructured data, need data quality consideration. However, unstructured data may have different levels of quality tolerance.

    At the database level, some common root causes include:

    1. Lack of referential integrity.
    2. Lack of unique keys.
    3. Don’t have restricted data range.
    4. Incorrect datatype, string fields that can hold too many characters.
    5. Orphaned records.

    Databases and People:

    Even though database design is a technology issue, don’t forget about the people.

    A lack of training employees on database permissions for updating/entering data into the physical databases is a common problem for data quality.

    Data quality problems root cause #3:

    Improper integration and synchronization of enterprise data

    Data ingestion is another category of data-quality-issue root causes. When moving data in Tier 2, whether it is through ETL, ESB, point-to-point integration, etc., the integrity of the data during movement and/or transformation needs to be maintained.

    Tier 2 (the data ingestion layer) serves to move data for one of two main purposes:

    • To move data from originating systems to downstream systems to support integrated business processes.
    • To move data to Tier 3 where data rests for other purposes. This movement of data in its purest form means we move raw data to storage locations in an overall data warehouse environment reflecting any security, compliance and other standards in our choices for how to store. Also, it is where data is transformed for unique business purpose that will also be moved to a place of rest or a place of specific use. Data cleansing and matching and other data-related blending tasks occur at this layer.

    This ensures the data is pristine throughout the process and improves trustworthiness of outcomes and speed to task completion.

    At the integration layer, some common root causes of data quality problems include:

    1. No data mask. For example, zip code should have a mask of five numeric characters.
    2. Questionable aggregation, transformation process, or incorrect logic.
    3. Unsynchronized data refresh process in an integrated environment.
    4. Lack of a data matching tool.
    5. Lack of a data quality tool.
    6. Don’t have data profiling capability.
    7. Errors with data conversion or migration processes – when migrating, decommissioning, or converting systems – movement of data sets.
    8. Incorrect data mapping between data sources and targets.

    Data quality problems root cause #4:

    Insufficient and ineffective data quality policies and procedures

    Data policies and procedures are necessary for establishing standards around data and represent another category of data-quality-issue root causes. This issue spans across all five of the 5 Tier Architecture.

    Data policies are short statements that seek to manage the creation, acquisition, integrity, security, compliance, and quality of data. These policies vary amongst organizations, depending on your specific data needs.

    • Policies describe what to do, while standards and procedures describe how to do something.
    • There should be few data policies, and they should be brief and direct. Policies are living documents and should be continuously updated to respond to the organization’s data needs.
    • The data policies should highlight who is responsible for the data under various scenarios and rules around how to manage it effectively.

    Some common root causes of data quality issues related to policies and procedures include:

    1. Policies are absent or out of date.
    2. Employees are largely unaware of policies in effect.
    3. Policies are unmonitored and unenforced.
    4. Policies are in multiple locations.
    5. Multiple versions of the same policy exist.
    6. Policies are managed inconsistently across different silos.
    7. Policies are written poorly by untrained authors.
    8. Inadequate policy training program.
    9. Draft policies stall and lose momentum.
    10. Weak policy support from senior management.

    Data quality problems root cause #5:

    Inefficient or ineffective business processes

    Some common root causes of data quality issues related to business processes include:

    1. Multiple entries of the same record leads to duplicate records proliferating in the database.
    2. Many business definitions of data.
    3. Failure to document data manipulations when presenting data.
    4. Failure to train people on how to understand data.
    5. Manually intensive processes can result in duplication of effort (creates room for errors).
    6. No clear delineation of dependencies of business processes within or between departments, which leads to a siloed approach to business processes, rather than a coordinated and aligned approach.

    Business processes can impact data quality. How data is entered into systems, as well as employee training and knowledge about the correct data definitions, can impact the quality of your organization’s data.

    These problematic business process root causes can lead to:

    Duplicate records

    Incomplete data

    Improper use of data

    Wrong data entered into fields

    These data quality issues will result in costly and inefficient manual fixes, wasting valuable time and resources.

    Phase 1 Summary

    1. Data Quality Understanding

    • Understanding that data quality is a methodology and should be treated as such.
    • Data quality can be defined by four key indicators which are completeness, usability, timeliness, and accessibility.
    • Explained how to get investment for your data quality program and showcasing its value to leadership.

    2. Phase 0 Deliverables

    Introduced foundational tools to help you throughout this blueprint:

    • Complete the Data Culture Diagnostic and Business Capability Map Template as they are foundational in understanding your data culture and business capabilities to start the journey of data quality improvement.
    • Involve key relevant stakeholders when completing the Data Quality Diagnostic for each major business use case. Use the Importance and Confidence dimensions to help you prioritize which use case to address.

    3. Common Root Causes

    Addressed where multiple root causes can occur throughout the flow of your data.

    Analyzed the following common root causes of data quality:

    1. Poor system or application design
    2. Poor database design
    3. Improper integration and synchronization of enterprise data
    4. Insufficient and ineffective data quality policies and procedures
    5. Inefficient or ineffective business processes

    Phase 2

    Analyze Your Priorities for Data Quality Fixes

    Build Your Data Quality Program

    Business Context & Data Quality

    Establish the business context of data quality improvement projects at the business unit level to find common goals.

    • To ensure the data improvement strategy is business driven, start your data quality project evaluation by understanding the business context. You will then determine which business units use data and create a roadmap for prioritizing business units for data quality repairs.
    • Your business context is represented by your corporate business vision, mission, goals and objectives, differentiators, and drivers. Collectively, they provide essential information on what is important to your organization, and some hints on how to achieve that. In this step, you will gather important information about your business view and interpret the business view to establish a data view.

    Business Vision

    Business Goals

    Business Drivers

    Business Differentiators

    Not every business unit uses data to the same extent

    A data flow diagram can provide value by allowing an organization to adopt a proactive approach to data quality. Save time by knowing where the entry points are and where to look for data flaws.

    Understanding where data lives can be challenging as it is often in motion and rarely resides in one place. There are multiple benefits that come from taking the time to create a data flow diagram.

    • Mapping out the flow of data can help provide clarity on where the data lives and how it moves through the enterprise systems.
    • Having a visual of where and when data moves helps to understand who is using data and how it is being manipulated at different points.
    • A data flow diagram will allow you to elicit how data is used in a different use case.

    Info-Tech’s Four-Column Model of Data will help you to identify the essential aspects of your data:

    Business Use Case →Used by→Business Unit →Housed in→Systems→Used for→Usage of the Data

    Not every business unit requires the same standard of data quality

    To prioritize your business units for data quality improvement projects, you must analyze the relative importance of the data they use to the business. The more important the data is to the business, the higher the priority is of fixing that data. There are two measures for determining the importance of data: business value and business impact.

    Business Value of Data

    Business value of data can be evaluated by thinking about its ties to revenue generation for the organization, as well as how it is used for productivity and operations at the organization.

    The business value of data is assessed by asking what would happen to the following parameters if the data is not usable (due to poor quality, for example):

    • Loss of Revenue
    • Loss of Productivity
    • Increased Operating Costs

    Business Impact of Data

    Business impact of data should take into account the effects of poor data on both internal and external parties.

    The business impact of data is assessed by asking what the impact would be of bad data on the following parameters:

    • Impact on Customers
    • Impact on Internal Staff
    • Impact on Business Partners

    Value + Impact = Data Priority Score

    Ensure that the project starts on the right foot by completing Info-Tech’s Data Quality Problem Statement Template

    Before you can identify a solution, you must identify the problem with the business unit’s data.

    Download this tool

    Use Info-Tech’s Data Quality Problem Statement Template to identify the symptoms of poor data quality and articulate the problem.

    Info-Tech’s Data Quality Problem Statement Template will walk you through a step-by-step approach to identifying and describing the problems that the business unit feels regarding its data quality.

    Before articulating the problem, it helps to identify the symptoms of the problem. The following W’s will help you to describe the symptoms of the data quality issues:

    What

    Define the symptoms and feelings produced by poor data quality in the business unit.

    Where

    Define the location of the data that are causing data quality issues.

    When

    Define how severe the data quality issues are in frequency and duration.

    Who

    Define who is affected by the data quality problems and who works with the data.

    Info-Tech Best Practice

    Symptoms vs. Problems. Often, people will identify a list of symptoms of a problem and mistake those for the problem. Identifying the symptoms helps to define the problem, but symptoms do not help to identify the solution. The problem statement helps you to create solutions.

    Define the project problem to articulate the purpose

    1 hour

    Input

    • Symptoms of data quality issues in the business unit

    Output

    • Refined problem description

    Materials

    • Data Quality Problem Statement Template

    Participants

    • Data Quality Improvement Project team
    • Business line representatives

    A defined problem helps you to create clear goals, as well as lead your thinking to determine solutions to the problem.

    A problem statement consists of one or two sentences that summarize a condition or issue that a quality improvement team is meant to address. For the improvement team to fix the problem, the problem statement therefore has to be specific and concise.

    Instructions

    1. Gather the Data Quality Improvement Project Team in a room and start with an issue that is believed to be related to data quality.
    2. Ask what are the attributes and symptoms of that reality today; do this with the people impacted by the issue. This should be an IT and business collaboration.
    3. Draw your conclusions of what it all means: what have you collectively learned?
    4. Consider the implications of your conclusions and other considerations that must be taken into account such as regulatory needs, compliance, policy, and targets.
    5. Develop solutions – Contain the problem to something that can be solved in a realistic timeframe, such as three months.

    Download the Data Quality Problem Statement Template

    Case Study

    A strategic roadmap rooted in business requirements primes a data quality improvement plan for success.

    MathWorks

    Industry

    Software Development

    Source

    Primary Info-Tech Research

    As part of moving to a formalized data quality practice, MathWorks leveraged an incremental approach that took its time investigating business cases to support improvement actions. Establishing realistic goals for improvement in the form of a roadmap was a central component for gaining executive approval to push the project forward.

    Roadmap Creation

    In constructing a comprehensive roadmap that incorporated findings from business process and data analyses, MathWorks opted to document five-year and three-year overall goals, with one-year objectives that supported each goal. This approach ensured that the tactical actions taken were directed by long-term strategic objectives.

    Results – Business Alignment

    In presenting their roadmap for executive approval, MathWorks placed emphasis on communicating the progression and impact of their initiatives in terms that would engage business users. They focused on maintaining continual lines of communication with business stakeholders to demonstrate the value of the initiatives and also to gradually shift the corporate culture to one that is invested in an effective data quality practice.

    “Don’t jump at the first opportunity, because you may be putting out a fire with a cup of water where a fire truck is needed.” – Executive Advisor, IT Research and Advisory Firm

    Use Info-Tech’s Practice Assessment and Project Planning Tool to create your strategy for improving data quality

    Assess IT’s capabilities and competencies around data quality and plan to build these as the organization’s data quality practice develops. Before you can fix data quality, make sure you have the necessary skills and abilities to fix data quality correctly.

    The following IT capabilities are developed on an ongoing basis and are necessary for standardizing and structuring a data quality practice:

    • Meeting Business Needs
    • Services and Projects
    • Policies, Procedures, and Standards
    • Roles and Organizational Structure
    • Oversight and Communication
    • Data Quality of Different Data Types

    Download this Tool

    Data Handling and Remediation Competencies:

    • Data Standardization: Formatting values into consistent standards based on industry standards and business rules.
    • Data Cleansing: Modification of values to meet domain restrictions, integrity constraints, or other business rules for sufficient data quality for the organization.
    • Data Matching: Identification, linking, and merging related entries in or across sets of data.
    • Data Validation: Checking for correctness of the data.

    After these capabilities and competencies are assessed for a current and desired target state, the Data Quality Practice Assessment and Project Planning Tool will suggest improvement actions that should be followed in order to build your data quality practice. In addition, a roadmap will be generated after target dates are set to create your data quality practice development strategy.

    Benchmark current and identify target capabilities for your data quality practice

    1 hour

    Input

    • Current and desired data quality practices in the organization

    Output

    • Assessment of where the gaps lie in your data quality practice

    Materials

    • Data Quality Practice Assessment and Project Planning Tool

    Participants

    • Data Quality Project Lead
    • Business Line Representatives
    • Business Architects

    Use the Data Quality Practice Assessment and Project Planning Tool to evaluate the baseline and target capabilities of your practice in terms of how data quality is approached and executed.

    Download this Tool

    Instructions

    1. Invite the appropriate stakeholders to participate in this exercise. Examples:
      1. Business executives will have input in Tab 2
      2. Unique stakeholders: communications expert or executive advisors may have input
    2. On Tab 2: Practice Components, assess the current and target states of each capability on a scale of 1–5. Note: “Ad hoc” implies a capability is completed, but randomly, informally, and without a standardized method.

    These results will set the baseline against which you will monitor performance progress and keep track of improvements over time.

    Info-Tech Insight

    Focus on early alignment. Assessing capabilities within specific people’s job functions can naturally result in disagreement or debate, especially between business and IT people. Remind everyone that data quality should ultimately serve business needs wherever possible.

    Visualization improves the holistic understanding of where gaps exist in your data quality practice

    To enable deeper analysis on the results of your practice assessment, Tab 3: Data Quality Practice Scorecard in the Data Quality Practice Assessment and Project Planning Tool creates visualizations of the gaps identified in each of your practice capabilities and related data management practices. These diagrams serve as analysis summaries.

    Gap assessment of “Meeting Business Needs” capabilities

    The image shows a screen capture of the Gap assessment of 
“Meeting Business Needs” capabilities, with sample information filled in.

    Visualization of gap assessment of data quality practice capabilities

    The image shows a bar graph titled Data Quality Capabilities.

    1. Enhance your gap analyses by forming a relative comparison of total gaps in key practice capability areas, which will help in determining priorities.
    • Example: In Tab 2 compare your capabilities within “Policies, Procedures, and Standards.” Then in Tab 3, compare your overall capabilities in “Policies, Procedures, and Standards” versus “Empowering Technologies.”
  • Put these up on display to improve discussion in the gap analyses and prioritization sessions.
  • Improve the clarity and flow of your strategy template, final presentations, and summary documents by copying and pasting the gap assessment diagrams.
  • Before engaging in the data quality improvement project plan, receive signoff from IT regarding feasibility

    The final piece of the puzzle is to gain sign-off from IT.

    Hofstadter's law: It always takes longer than you expect, even when you take into account Hofstadter’s Law.

    This means that before engaging IT in data quality projects to fix the business units’ data in Phase 2, IT must assess feasibility of the data quality improvement plan. A feasibility analysis is typically used to review the strengths and weaknesses of the projects, as well as the availability of required skills and technologies needed to complete them. Use the following workflow to guide you in performing a feasibility analysis:

    Project evaluation process:

    Present capabilities

    • Operational Capabilities
    • System Capabilities
    • Schedule Capabilities
      • Summary of Evaluation Results
        • Recommendations/ modifications to the project plan

    Info-Tech Best Practice

    While the PMO identifies and coordinates projects, IT must determine how long and for how much.

    Conduct gap analysis sessions to review and prioritize the capability gaps

    1 hour

    Input

    • Current and Target State Assessment

    Output

    • Documented initiatives to help you get to the target state

    Materials

    • Data Quality Practice Assessment and Project Planning Tool

    Participants

    • Data Quality team
    • IT representatives

    Instructions

    • Analyze Gap Analysis Results – As a group, discuss the high-level results on Tab 3: Data Quality Practice Score. Discuss the implications of the gaps identified.
    • Do a line-item review of the gaps between current and target levels for each assessed capability by using Tab 2: Practice Components.
    • Brainstorm Alignment Strategies – Brainstorm the effort and activities that will be necessary to support the practice in building its capabilities to the desired target level. Ask the following questions:
      • What activities must occur to enable this capability?
      • What changes/additions to resources, process, technology, business involvement, and communication must occur?
    • Document Data Quality Initiatives – Turn activities into initiatives by documenting them in Tab 4. Data Quality Practice Roadmap. Review the initiatives and estimate the start and end dates of each one.
    • Continue to evaluate the assessment results in order to create a comprehensive set of data quality initiatives that support your practice in building capabilities.

    Download this Tool

    Create the organization’s data quality improvement strategy roadmap

    1 hour

    Input

    • Data quality practice gaps and improvement actions

    Output

    • Data quality practice improvement roadmap

    Materials

    • Data Quality Practice Assessment and Project Planning Tool

    Participants

    • Data Quality Project Lead
    • Business Executives
    • IT Executives
    • Business Architects

    Generating Your Roadmap

    1. Plan the sequence, starting time, and length of each initiative in the Data Quality Practice Assessment and Project Planning Tool.
    2. The tool will generate a Gantt chart based on the start and length of your initiatives.
    3. The Gantt chart is generated in Tab 4: Data Quality Practice Roadmap, and can be used to organize and ensure that all of the essential aspects of data quality are addressed.

    Use the Practice Roadmap to plan and improve data quality capabilities

    Download this Tool

    Info-Tech Best Practice

    To help get you started, Info-Tech has provided an extensive list of data quality improvement initiatives that are commonly undertaken by organizations looking to improve their data quality.

    Establish Baseline Metrics

    Baseline metrics will be improved through:

    2 hours

    Create practice-level metrics to monitor your data quality practice.

    Instructions:

    1. Establish metrics for both the business and IT that will be used to determine if the data quality practice development is effective.
    2. Set targets for each metric.
    3. Collect current data to calculate the metrics and establish a baseline.
    4. Assign an owner for tracking each metric to be accountable for performance.
    Metric Current Goal
    Usage (% of trained users using the data warehouse)
    Performance (response time)
    Performance (response time)
    Resource utilization (memory usage, number of machine cycles)
    User satisfaction (quarterly user surveys)
    Data quality (% values outside valid values, % fields missing, wrong data type, data outside acceptable range, data that violates business rules. Some aspects of data quality can be automatically tracked and reported)
    Costs (initial installation and ongoing, Total Cost of Ownership including servers, software licenses, support staff)
    Security (security violations detected, where violations are coming from, breaches)
    Patterns that are used
    Reduction in time to market for the data
    Completeness of data that is available
    How many "standard" data models are being used
    What is the extra business value from the data governance program?
    How much time is spent for data prep by BI & analytics team?

    Phase 2 summary

    As you improve your data quality practice and move from reactive to stable, don’t rest and assume that you can let data quality keep going by itself. Rapidly changing consumer requirements or other pains will catch up to your organization and you will fall behind again. By moving to the proactive and predictive end of the maturity scale, you can stay ahead of the curve. By following the methodology laid out in Phase 1, the data quality practices at your organization will improve over time, leading to the following results:

    Chaotic

    Before Data Quality Practice Improvements

    • No standards to data quality

    Reactive

    Year 1

    • Processes defined
    • Data cleansing approach to data quality

    Stable

    Year 2

    • Business rules/ stewardship in place
    • Education and training

    Proactive

    Year 3

    • Data quality practices fully in place and embedded in the culture
    • Trusted and intelligent enterprise

    (Global Data Excellence, Data Excellence Maturity Model)

    Phase 3

    Establish Your Organization’s Data Quality Program

    Build Your Data Quality Program

    Create a data lineage diagram to map the data journey and identify the data subject areas to be targeted for fixes

    It is important to understand the various data that exist in the business unit, as well as which data are essential to business function and require the highest degree of quality efforts.

    Visualize your databases and the flow of data. A data lineage diagram can help you and the Data Quality Improvement Team visualize where data issues lie. Keeping the five-tier architecture in mind, build your data lineage diagram.

    Reminder: Five-Tier Architecture

    The image shows the Five-Tier Architecture graphic.

    Use the following icons to represent your various data systems and databases.

    The image shows four icons. They are: the image of a square and a computer monitor, labelled Application; the image of two sheets of paper, labelled Desktop documents; the image of a green circle next to a computer monitor, labelled Web Application; and a blue cylinder labelled Database.

    Use Info-Tech’s Data Lineage Diagram to document the data sources and applications used by the business unit

    2 hours

    Input

    • Data sources and applications used by the business unit

    Output

    • Data lineage diagram

    Materials

    • Data Lineage Diagram Template

    Participants

    • Business Unit Head/Data Owner
    • Business Unit SMEs
    • Data Analysts/Architects

    Map the flow and location of data within a business unit by creating a system context diagram.

    Gain an accurate view of data locations and uses: Engage business users and representatives with a wide breadth of knowledge-related business processes and the use of data by related business operations.

    1. Sit down with key business representatives of the business unit.
    2. Document the sources of data and processes in which they’re involved, and get IT confirmation that the sources of the data are correct.
    3. Map out the sources and processes in a system context diagram.

    Download this Tool

    Sample Data Lineage Diagram

    The image shows a sample data lineage diagram, split into External Applications and Internal Applications, and showing the processes involved in each.

    Leverage Info-Tech’s Data Quality Practice Assessment and Project Planning Tool to document business context

    1 hour

    Input

    • Business vision, goals, and drivers

    Output

    • Business context for the data quality improvement project

    Materials

    • Data Quality Practice Assessment and Project Planning Tool

    Participants

    • Data Quality project lead
    • Business line representatives
    • IT executives

    Develop goals and align them with specific objectives to set the framework for your data quality initiatives.

    In the context of achieving business vision, mission, goals, and objectives and sustaining differentiators and key drivers, think about where and how data quality is a barrier. Then brainstorm data quality improvement objectives that map to these barriers. Document your list of objectives in Tab 5. Prioritize business units of the Data Quality Practice Assessment and Project Planning Tool.

    Establishing Business Context Example

    Healthcare Industry

    Vision To improve member services and make service provider experience more effective through improving data quality and data collection, aggregation, and accessibility for all the members.
    Goals

    Establish meaningful metrics that guide to the improvement of healthcare for member effectiveness of health care providers:

    • Data collection
    • Data harmonization
    • Data accessibility and trust by all constituents.
    Differentiator Connect service consumers with service providers, that comply with established regulations by delivering data that is accurate, trusted, timely, and easy to understand to connect service providers and eliminate bureaucracy and save money and time.
    Key Driver Seamlessly provide a healthcare for members.

    Download this Tool

    Document the identified business units and their associated data

    30 minutes

    Input

    • Business units

    Output

    • Documented business units to begin prioritization

    Materials

    • Data Quality Practice Assessment and Project Planning Tool

    Participants

    • Project Manager

    Instructions

    1. Using Tab 5: Prioritize Business Units of the Data Quality Practice Assessment and Project Planning Tool, document the business units that use data in the organization. This will likely be all business units in the organization.
    2. Next, document the primary data used by those business units.
    3. These inputs will then be used to assess business unit priority to generate a data quality improvement project roadmap.

    The image shows a screen capture of Tab 5: Prioritize Business Units, with sample information inputted.

    Reminder – Not every business unit requires the same standard of data quality

    To prioritize your business units for data quality improvement projects, you must analyze the relative importance of the data they use to the business. The more important the data is to the business, the higher the priority is of fixing that data. There are two measures for determining the importance of data: business value and business impact.

    Business Value of Data

    Business value of data can be evaluated by thinking about its ties to revenue generation for the organization, as well as how it is used for productivity and operations at the organization.

    The business value of data is assessed by asking what would happen to the following parameters if the data is not usable (due to poor quality, for example):

    • Loss of Revenue
    • Loss of Productivity
    • Increased Operating Costs

    Business Impact of Data

    Business impact of data should take into account the effects of poor data on both internal and external parties.

    The business impact of data is assessed by asking what the impact would be of bad data on the following parameters:

    • Impact on Customers
    • Impact on Internal Staff
    • Impact on Business Partners

    Value + Impact = Data Priority Score

    Assess the business unit priority order for data quality improvements

    2 hours

    Input

    • Assessment of value and impact of business unit data

    Output

    • Prioritization list for data quality improvement projects

    Materials

    • Data Quality Practice Assessment and Project Planning Tool

    Participants

    • Project Manager
    • Data owners

    Instructions

    Instructions In Tab 5: Prioritize Business Units of the Data Quality Practice Assessment and Project Planning Tool, assess business value and business impact of the data within each documented business unit.

    Use the ratings High, Medium, and Low to measure the financial, productivity, and efficiency value and impact of each business unit’s data.

    In addition to these ratings, assess the number of help desk tickets that are submitted to IT regarding data quality issues. This parameter is an indicator that the business unit’s data is high priority for data quality fixes.

    Download this Tool

    Create a business unit order roadmap for your data quality improvement projects

    1 hour

    Input

    • Rating of importance of data for each business unit

    Output

    • Roadmap for data quality improvement projects

    Materials

    • Data Quality Practice Assessment and Project Planning Tool

    Participants

    • Project Manager
    • Product Manager
    • Business line representatives

    Instructions

    After assessing the business units for the business value and business impact of their data, the Data Quality Practice Assessment and Project Planning Tool automatically assesses the prioritization of the business units based on your ratings. These prioritizations are then summarized in a roadmap on Tab 6: Data Quality Project Roadmap. The following is an example of a project roadmap:

    The image shows an example of a project roadmap, with three business units listed vertically along the left hand side, and a Gantt chart showing the time periods in which each Business Unit would work. At the bottom, a table shows the Length of the Project in days (100), and the start date for the first project.

    On Tab 6, insert the timeline for your data quality improvement projects, as well as the starting date of your first data quality project. The roadmap will automatically update with the chosen timing and dates.

    Download this Tool

    Identify metrics at the business unit level to track data quality improvements

    As you improve the data quality for specific business units, measuring the benefits of data quality improvements will help you demonstrate the value of the projects to the business.

    Use the following table to guide you in creating business-aligned metrics:

    Business Unit Driver Metrics Goal
    Sales Customer Intimacy Accuracy of customer data. Percent of missing or incomplete records. 10% decrease in customer record errors.

    Marketing

    Customer Intimacy Accuracy of customer data. Percent of missing or incomplete records. 10% decrease in customer record errors.
    Finance Operational Excellence Relevance of financial reports. Decrease in report inaccuracy complaints.
    HR Risk Management Accuracy of employee data. 10% decrease in employee record errors.
    Shipping Operational Excellence Timeliness of invoice data. 10% decrease in time to report.

    Info-Tech Insight

    Relating data governance success metrics to overall business benefits keeps executive management and executive sponsors engaged because they are seeing actionable results. Review metrics on an ongoing basis with those data owners/stewards who are accountable, the data governance steering committee, and the executive sponsors.

    Case Study

    Address data quality with the right approach to maximize the ROI

    EDC

    Industry: Government

    Source: Environment Development of Canada (EDC)

    Challenge

    Environment Development Canada (EDC) would initially identify data elements that are important to the business purely based on their business instinct.

    Leadership attempted to tackle the enterprise’s data issues by bringing a set of different tools into the organization.

    It didn’t work out because the fundamental foundational layer, which is the data and infrastructure, was not right – they didn't have the foundational capabilities to enable those tools.

    Solution

    Leadership listened to the need for one single team to be responsible for the data persistence.

    Therefore, the data platform team was granted that mandate to extensively execute the data quality program across the enterprise.

    A data quality team was formed under the Data & Analytics COE. They had the mandate to profile the data and to understand what quality of data needed to be achieved. They worked constantly with the business to build the data quality rules.

    Results

    EDC tackled the source of their data quality issues through initially performing a data quality management assessment with business stakeholders.

    From then on, EDC was able to establish their data quality program and carry out other key initiatives that prove the ROI on data quality.

    Begin your data quality improvement project starting with the highest priority business unit

    Now that you have a prioritized list for your data quality improvement projects, identify the highest priority business unit. This is the business unit you will work through Phase 3 with to fix their data quality issues.

    Once you have initiated and identified solutions for the first business unit, tackle data quality for the next business unit in the prioritized list.

    The image is a graphic labelled as Phase 2. On the left, there is a vertical arrow pointing upward labelled Priority of Business Units. Next to it, there are three boxes, with downward pointing arrows between them, each box labelled as each Business Unit's Data Quality Improvement Project. From there an arrow points right to a circle. Inside the circle are the steps necessary to complete the data quality improvement project.

    Create and document your data quality improvement team

    1 hour

    Input

    • Individuals who fit the data quality improvement plan team roles

    Output

    • Project team

    Materials

    • Data Quality Improvement Plan Template

    Participants

    • Data owner
    • Project Manager
    • Product Manager

    The Data Quality Improvement Plan is a concise document that should be created for each data quality project (i.e. for each business unit) to keep track of the project.

    Instructions

    1. Meet with the data owner of the business unit identified for the data quality improvement project.
    2. Identify individuals who fit the data quality improvement plan team roles.
    3. Using the Data Quality Improvement Plan Template to document the roles and individuals who will fit those roles.
    4. Have an introductory meeting with the Improvement team to clarify roles and responsibilities for the project.

    Download this Tool

    Team role Assigned to
    Data Owner [Name]
    Project Manager [Name]
    Business Analyst/BRM [Name]
    Data Steward [Name]
    Data Analyst [Name]

    Document the business context of the Data Quality Improvement Plan

    1 hour

    Input

    • Project team
    • Identified data attributes

    Output

    • Business context for the data quality improvement plan

    Materials

    • Data Quality Improvement Plan Template

    Participants

    • Data owner
    • Project Sponsor
    • Product owner

    Data quality initiatives have to be relevant to the business, and the business context will be used to provide inputs to the data improvement strategy. The context can then be used to determine exactly where the root causes of data quality issues are, which will inform your solutions.

    Instructions

    The business context of the data quality improvement plan includes documenting from previous activities:

    1. The Data Quality Improvement Team.
    2. Your Data Lineage Diagram.
    3. Your Data Quality Problem Statement.

    Info-Tech Best Practice

    While many organizations adopt data quality principles, not all organizations express them along the same terms. Have multiple perspectives within your organization outline principles that fit your unique data quality agenda. Anyone interested in resolving the day-to-day data quality issues that they face can be helpful for creating the context around the project.

    Download this tool

    Now that you have a defined problem, revisit the root causes of poor data quality

    You previously fleshed out the problem with data quality present in the business unit chosen as highest priority. Now it is time to figure out what is causing those problems.

    In the table below, you will find some of the common categories of causes of data quality issues, as well as some specific root causes.

    Category Description
    1. System/Application Design Ineffective, insufficient, or even incorrect system/application design accepts incorrect and missing data elements to the source applications and databases. The data records in those source systems may propagate into systems in tiers 2, 3, 4, and 5 of the 5-tier architecture, creating domino and ripple effects.
    2. Database design Database is created and modeled in an incorrect manner so that the management of the data records is incorrect, resulting in duplicated and orphaned records, and records that are missing data elements or records that contain incorrect data elements. Poor operational data in databases often leads to issues in tiers 2, 3, 4, and 5.
    3. Enterprise Integration Data or information is improperly integrated, transformed, masked, and aggregated in tier 2. In addition, some data integration tasks might not be timely, resulting in out-of-date data or even data that contradicts with other data. Enterprise integration is a precursor of loading a data warehouse and data marts. Issues in this layer affect tier 3, 4 and 5 on the 5-tier architecture.
    4. Policies and Procedures Policies and procedures are not effectively used to reinforce data quality. In some situations, policy gaps are found. In others, policies are overlapped and duplicated. Policies may also be out-of-date or too complex, affecting the users’ ability to interpret the policy objectives. Policies affect all tiers in the 5-tier architecture.
    5. Business Processes Improper business process design introduces poor data into the data systems. Failure to create processes around approving data changes, failure to document key data elements, and failure to train employees on the proper uses of data make data quality a burning problem.

    Leverage a root cause analysis approach to pinpoint the origins of your data issues

    A root cause analysis is a systematic approach to decompose a problem into its components. Use fishbone diagrams to help reveal the root causes of data issues.

    The image shows a fishbone diagram on the left, which starts with Process on the left, and then leads to Application and Integration, and then Database and Policies. This section is titled Root causes. The right hand section is titled Lead to problems with data... and includes 4 circles with the word or in between each. The circles are labelled: Completeness; Usability; Timeliness; Accessibility.

    Info-Tech recommends five root cause categories for assessing data quality issues:

    Application Design. Is the issue caused by human error at the application level? Consider internal employees, external partners/suppliers, and customers.

    Database Design. Is the issue caused by a particular database and stems from inadequacies in its design?

    Integration. Data integration tools may not be fully leveraged, or data matching rules may be poorly designed.

    Policies and Procedures. Do the issues take place because of lack of governance?

    Business Processes. Do the issues take place due to insufficient processes?

    For Example:

    When performing a deeper analysis of your data issues related to the accuracy of the business unit’s data, you would perform a root cause analysis by assessing the contribution of each of the five categories of data quality problem root causes:

    The image shows another fishbone diagram, with example information filled in. The first section on the left is titled Application Design, and includes the text: Data entry problems lead to incorrect accounting entries. The second is Integration, and includes the text: Data integration tools are not fully leveraged. The third section is Policies, and includes the text: No policy on standardizing name and address. The last section is Database design, with text that reads: Databases do not contain unique keys. The diagram ends with an arrow pointing right to a blue circle with Accuracy in it.

    Leverage a combination of data analysis techniques to identify and quantify root causes

    Info-Tech Insight

    Including all attributes of the key subject area in your data profiling activities may produce too much information to make sense of. Conduct data profiling primarily at the table level and undergo attribute profiling only if you are able to narrow down your scope sufficiently.

    Data Profiling Tool

    Data profiling extracts a sample of the target data set and runs it through multiple levels of analysis. The end result is a detailed report of statistics about a variety of data quality criteria (duplicate data, incomplete data, stale data, etc.).

    Many data profiling tools have built-in templates and reports to help you uncover data issues. In addition, they quantify the occurrences of the data issues.

    E-Discovery Tool

    This supplements a profiling tool. For Example, use a BI tool to create a custom grouping of all the invalid states (e.g. “CAL,” “AZN,” etc.) and visualize the percentage of invalid states compared to all states.

    SQL Queries

    This supplements a profiling tool. For example, use a SQL statement to group the customer data by customer segment and then by state to identify which segment–state combinations contain poor data.

    Identify the data issues for the particular business unit under consideration

    2 hours

    Input

    • Issues with data quality felt by the business unit
    • Data lineage diagram

    Output

    • Categorized data quality issues

    Materials

    • Whiteboard, markers, sticky notes
    • Data Quality Improvement Plan Template

    Participants

    • Data quality improvement project team
    • Business line representatives

    Instructions

    1. Gather the data quality improvement project team in a room, along with sticky notes and a whiteboard.
    2. Display your previously created data lineage diagram on the whiteboard.
    3. Using color-coded sticky notes, attach issues to each component of the data lineage diagram that team members can identify. Use different colors for the four quality attributes: Completeness, Usability, Timeliness, and Accessibility.

    Example:

    The image shows the data lineage diagram that has been shown in previous sections. In addition, the image shows 4 post-its arranges around the diagram, labelled: Usability; Completeness; Timeliness; and Accessibility.

    Map the data issues on fishbone diagrams to identify root causes

    1 hour

    Input

    • Categorized data quality issues

    Output

    • Completed fishbone diagrams

    Materials

    • Whiteboard, markers, sticky notes
    • Data Quality Improvement Plan Template

    Participants

    • Data quality improvement project team

    Now that you have data quality issues classified according to the data quality attributes, map these issues onto four fishbone diagrams.

    The image shows a fishbone diagram, which is titled Example: Root cause analysis diagram for data accuracy.

    Download this Tool

    Get to know the root causes behind system/application design mistakes

    Suboptimal system/application design provides entry points for bad data.

    Business Process
    Usually found in → Tier 1 Tier 2 Tier 3 Tier 4 Tier 5
    Issue Root Causes Usability Completeness Timeliness Accessibility
    Insufficient data mask No data mask is defined for a free-form text field in a user interface. E.g. North American phone number should have 4 masks – country code (1-digit), area code (3-digit), and local number (7-digit). X X
    Too many free-form text fields Incorrect use of free-form text fields (fields that accept a variety of inputs). E.g. Use a free-form text field for zip code instead of a backend look up. X X
    Lack of value lookup Reference data is not looked up from a reference list. E.g. State abbreviation is entered instead of being looked up from a standard list of states. X X
    Lack of mandatory field definitions Mandatory fields are not identified and reinforced. Resulting data records with many missing data elements. E.g. Some users may fill up 2 or 3 fields in a UI that has 20 non-mandatory fields. X

    The image shows a fishbone diagram, with the following sections, from left to right: Application Design; Integration; Processes; Policies; Database Design; Data Quality Measure. The Application Design section is highlighted.

    Get to know the root causes behind common database design mistakes

    Improper database design allows incorrect data to be stored and propagated.

    Business Process
    Usually found in → Tier 1 Tier 2 Tier 3 Tier 4 Tier 5
    Issue Root Causes Usability Completeness Timeliness Accessibility
    Incorrect referential integrity Referential integrity constraints are absent or incorrectly implemented, resulting in child records without parent records, or related records are updated or deleted in a cascading manner. E.g. An invoice line item is created before an invoice is created. X X
    Lack of unique keys Lack of unique keys creating scenarios where record uniqueness cannot be guaranteed. E.g. Customer records with the same customer_ID. X X
    Data range Fail to define a data range for incoming data, resulting in data values that are out of range. E.g. The age field is able to store an age of 999. X X
    Incorrect data type Incorrect data types are used to store data fields. E.g. A string field is used to store zip codes. Some users use that to store phone numbers, birthdays, etc. X X

    The image shows a fishbone diagram, with the following sections, from left to right: Application Design; Integration; Processes; Policies; Database Design; Data Quality Measure. The Database Design section is highlighted

    Get to know the root causes behind enterprise integration mistakes

    Improper data integration or synchronization may create poor analytical data.

    Business Process
    Usually found in → Tier 1 Tier 2 Tier 3 Tier 4 Tier 5
    Issue Root Causes Usability Completeness Timeliness Accessibility
    Incorrect transformation Transformation is done incorrectly. A wrong formula may have been used, transformation is done at the wrong data granularity, or aggregation logic is incorrect. E.g. Aggregation is done for all customers instead of just active customers. X X
    Data refresh is out of sync Data is synchronized at different intervals, resulting in a data warehouse where data domains are out of sync. E.g. Customer transactions are refreshed to reflect the latest activities but the account balance is not yet refreshed. X X
    Data is matched incorrectly Fail to match records from disparate systems, resulting in duplications and unmatched records. E.g. Unable to match customers from different systems because they have different cust_ID. X X
    Incorrect data mapping Fields from source systems are not properly matched with data warehouse fields. E.g. Status fields from different systems are mixed into one field. X X

    The image shows a fishbone diagram, with the following sections, from left to right: Application Design; Integration; Processes; Policies; Database Design; Data Quality Measure. The Integration section is highlighted

    Get to know the root causes behind policy and procedure mistakes

    Suboptimal policies and procedures undermine the effect of best practices.

    Business Process
    Usually found in → Tier 1 Tier 2 Tier 3 Tier 4 Tier 5
    Issue Root Causes Usability Completeness Timeliness Accessibility
    Policy Gaps There are gaps in the policy landscape in terms of some missing key policies or policies that are not refreshed to reflect the latest changes. E.g. A data entry policy is absent, leading to inconsistent data entry practices. X X
    Policy Communications Policies are in place but the policies are not communicated effectively to the organization, resulting in misinterpretation of policies and under-enforcement of policies. E.g. The data standard is created but very few developers are aware of its existence. X X
    Policy Enforcement Policies are in place but not proactively re-enforced and that leads to inconsistent application of policies and policy adoption. E.g. Policy adoption is dropping over time due to lack of reinforcement. X X
    Policy Quality Policies are written by untrained authors and they do not communicate the messages. E.g. A non-technical data user may find a policy that is loaded with technical terms confusing. X X

    The image shows a fishbone diagram, with the following sections, from left to right: Application Design; Integration; Processes; Policies; Database Design; Data Quality Measure. The Policies section is highlighted

    Get to know the root causes behind common business process mistakes

    Ineffective and inefficient business processes create entry points for poor data.

    Business Process
    Usually found in → Tier 1 Tier 2 Tier 3 Tier 4 Tier 5
    Issue Root Causes Usability Completeness Timeliness Accessibility
    Lack of training Key data personnel and business analysts are not trained in data quality and data governance, leading to lack of accountability. E.g. A data steward is not aware of downstream impact of a duplicated financial statement. X X
    Ineffective business process The same piece of information is entered into data systems two or more times. Or a piece of data is stalled in a data system for too long. E.g. A paper form is scanned multiple times to extract data into different data systems. X X
    Lack of documentation Fail to document the work flows of the key business processes. A lack of work flow results in sub-optimal use of data. E.g. Data is modeled incorrectly due to undocumented business logic. X X
    Lack of integration between business silos Business silos hold on to their own datasets resulting in data silos in which data is not shared and/or data is transferred with errors. E.g. Data from a unit is extracted as a data file and stored in a shared drive with little access. X X

    The image shows a fishbone diagram, with the following sections, from left to right: Application Design; Integration; Processes; Policies; Database Design; Data Quality Measure. The Processes section is highlighted

    Phase 3 Summary

    1. Data Lineage Diagram
    • Creating the data lineage diagram is recommended to help visualize the flow of your data and to map the data journey and identify the data subject areas to be targeted for fixes.
    • The data lineage diagram was leveraged multiple times throughout this Phase. For example, the data lineage diagram was used to document the data sources and applications used by the business unit
  • Business Context
    • Business context was documented through the Data Quality Practice Assessment and Project Planning Tool.
    • The same tool was used to document identified business units and their associated data.
    • Metrics were also identified at the business unit level to track data quality improvements.
  • Common Root Causes
    • Leverage a root cause analysis approach to pinpoint the origins of your data quality issues.
    • Analyzed and got to know the root causes behind the following:
      1. System/application design mistakes
      2. Common database design mistakes
      3. Enterprise integration mistakes
      4. Policies and procedures mistakes
      5. Common business processes mistakes
  • Phase 4

    Grow and Sustain Your Data Quality Program

    Build Your Data Quality Program

    For the identified root causes, determine the solutions for the problem

    As you worked through the previous step, you identified the root causes of your data quality problems within the business unit. Now, it is time to identify solutions.

    The following slides provide an overview of the solutions to common data quality issues. As you identify solutions that apply to the business unit being addressed, insert the solution tables in Section 4: Proposed Solutions of the Data Quality Improvement Plan Template.

    All data quality solutions have two components to them:

    • Technology
    • People

    For the next five data quality solution slides, look for the slider for the contributions of each category to the solution. Use this scale to guide you in creating solutions.

    When designing solutions, keep in mind that solutions to data quality problems are not mutually exclusive. In other words, an identified root cause may have multiple solutions that apply to it.

    For example, if an application is plagued with inaccurate data, the application design may be suboptimal, but also the process that leads to data being entered may need fixing.

    Data quality improvement strategy #1:

    Fix data quality issues by improving system/application design.

    Technology

    Application Interface Design

    Restrict field length – Capture only the characters you need for your application.

    Leverage data masks – Use data masks in standardized fields like zip code and phone number.

    Restrict the use of open text fields and use reference tables – Only present open text fields when there is a need. Use reference tables to limit data values.

    Provide options – Use radio buttons, drop-down lists, and multi-select instead of using open text fields.

    Data Validation at the Application Level

    Validate data before committing – Use simple validation to ensure the data entered is not random numbers and letters.

    Track history – Keep track of who entered what fields.

    Cannot submit twice – Only design for one-time submission.

    People

    Training

    Data-entry training – Training that is related to data entry, creating, or updating data records.

    Data resolution training – Training data stewards or other dedicated data personnel on how to resolve data records that are not entered properly.

    Continuous Improvement

    Standards – Develop application design principles and standards.

    Field testing – Field data entry with a few people to look for abnormalities and discrepancies.

    Detection and resolution – Abnormal data records should be isolated and resolved ASAP.

    Application Testing

    Thorough testing – Application design is your first line of defence against poor data. Test to ensure bad data is kept out of the systems.

    Case Study

    HMS

    Industry: Healthcare

    Source: Informatica

    Improve your data quality ingestion procedures to provide better customer intimacy for your users

    Healthcare Management Systems (HMS) provides cost containment services for healthcare sponsors and payers, and coordinates benefits services. This is to ensure that healthcare claims are paid correctly to both government agencies and individuals. To do so, HMS relies on data, and this data needs to be of high quality to ensure the correct decisions are made, the right people get the correct claims, and the appropriate parties pay out.

    To improve the integrity of HMS’s customer data, HMS put in place a framework that helped to standardize the collection of high volume and highly variable data.

    Results

    Working with a data quality platform vendor to establish a framework for data standardization, HMS was able to streamline data analysis and reduce new customer implementations from months to weeks.

    HMS data was plagued with a lack of standardization of data ingestion procedures.

    Before improving data quality processes After improving data quality processes
    Data Ingestion Data Ingestion
    Many standards of ingestion. Standardized data ingestion
    Data Storage Data Storage
    Lack of ability to match data, creating data quality errors.
    Data Analysis Data Analysis
    = =
    Slow Customer Implementation Time 50% Reduction in Customer Implementation Time

    Data quality improvement strategy #2:

    Fix data quality issues using proper database design.

    Technology

    Database Design Best Practices

    Referential integrity – Ensure parent/child relationships are maintained in terms of cascade creation, update, and deletion.

    Primary key definition – Ensure there is at least one key to guarantee the uniqueness of the data records, and primary key should not allow null.

    Validate data domain – Create triggers to check the data values entered in the database fields.

    Field type and length – Define the most suitable data type and length to hold field values.

    One-Time Data Fix (more on the next slide)

    Explore solutions – Where to fix the data issues? Is there a case to fix the issues?

    Running profiling tools to catch errors – Run scans on the database with defined criteria to identify occurrences of questionable data.

    Fix a sample before fixing all records – Use a proof-of-concept approach to explore fix options and evaluate impacts before fixing the full set.

    People

    The DBA Team

    Perform key tasks in pairs – Take a pair approach to perform key tasks so that validation and cross-check can happen.

    Skilled DBAs – DBAs should be certified and accredited.

    Competence – Assess DBA competency on an ongoing basis.

    Preparedness – Develop drills to stimulate data issues and train DBAs.

    Cross train – Cross train team members so that one DBA can cover another DBA.

    Data quality improvement strategy #3:

    Improve integration and synchronization of enterprise data.

    Technology

    Integration Architecture

    Info-Tech’s 5-Tier Architecture – When doing transformations, it is good practice to persist the integration results in tier 3 before the data is further refined and presented in tier 4.

    Timing, timing, and timing – Think of the sequence of events. You may need to perform some ETL tasks before other tasks to achieve synchronization and consistence.

    Historical changes – Ensure your tier 3 is robust enough to include historical data. You need to enable type 2 slowly, changing dimension to recreate the data at a point in time.

    Data Cleansing

    Standardize – Leverage data standardization to standardize name and address fields to improve matching and integration.

    Fuzzy matching – When there are no common keys between datasets. The datasets can only be matched by fuzzy matching. Fuzzy matching is not hard science; define a confidence level and think about a mechanism to deal with the unmatched.

    People

    Reporting and Documentations

    Business data glossary and data lineage – Define a business data glossary to enhance findability of key data elements. Document data mappings and ETL logics.

    Create data quality reports – Many ETL platforms provide canned data quality reports. Leverage those quality reports to monitor the data health.

    Code Review

    Create data quality reports – Many ETL platforms provide canned data quality reports. Leverage those quality reports to monitor the data health.

    ARB (architectural review board) – All ETL codes should be approved by the architectural review board to ensure alignment with the overall integration strategy.

    Data quality improvement strategy #4:

    Improve data quality policies and procedures.

    Technology

    Policy Reporting

    Data quality reports – Leverage canned data quality reports from the ETL platforms to monitor data quality on an on-going basis. When abnormalities are found, provoke the right policies to deal with the issues.

    Store policies in a central location that is well known and easy to find and access. A key way that technology can help communicate policies is by having them published on a centralized website.

    Make the repository searchable and easily navigable. myPolicies helps you do all this and more.

    myPolicies helps you do all this and more.

    Go to this link

    People

    Policy Review and Training

    Policy review – Create a schedule for reviewing policies on a regular basis – invite professional writers to ensure polices are understandable.

    Policy training – Policies are often unread and misread. Training users and stakeholders on policies is an effective way to make sure those users and stakeholders understand the rationale of the policies. It is also a good practice to include a few scenarios that are handled by the policies.

    Policy hotline/mailbox – To avoid misinterpretation of the policies, a policy hotline/mailbox should be set up to answer any data policy questions from the end users/stakeholders.

    Policy Communications

    Simplified communications – Create handy one-pagers and infographic posters to communicate the key messages of the polices.

    Policy briefing – Whenever a new data project is initiated, a briefing of data policies should be given to ensure the project team follows the policies from the very beginning.

    Data quality improvement strategy #5:

    Streamline and optimize business processes.

    Technology

    Requirements Gathering

    Data Lineage – Leverage a metadata management tool to construct and document data lineage for future reference.

    Documentations Repository – It is a best practice to document key project information and share that knowledge across the project team and with the stakeholder. An improvement understanding of the project helps to identify data quality issues early on in the project.

    “Automating creation of data would help data quality most. You have to look at existing processes and create data signatures. You can then derive data off those data codes.” – Patrick Bossey, Manager of Business Intelligence, Crawford and Company

    People

    Requirements Gathering

    Info-Tech’s 4-Column Model – The datasets may exist but the business units do not have an effective way of communicating the quality needs. Use our four-column model and the eleven supporting questions to better understand the quality needs. See subsequent slides.

    I don’t know what the data means so I think the quality is poor – It is not uncommon to see that the right data presented to the business but the business does not trust the data. They also do not understand the business logic done on the data. See our Business Data Glossary in subsequent slides.

    Understand the business workflow – Know the business workflow to understand the manual steps associated with the workflow. You may find steps in which data is entered, manipulated, or consumed inappropriately.

    “Do a shadow data exercise where you identify the human workflows of how data gets entered, and then you can identify where data entry can be automated.” – Diraj Goel, Growth Advisor, BC Tech

    Brainstorm solutions to your data quality issues

    4 hours

    Input

    • Data profiling results
    • Preliminary root cause analyses

    Output

    • Proposals for data fix
    • Fixed issues

    Materials

    • Data Quality Improvement Plan Template

    Participants

    • Business and Data Analysts
    • Data experts and stewards

    After walking through the best-practice solutions to data quality issues, propose solutions to fix your identified issues.

    Instructions

    1. Review Root Cause Analyses: Revisit the root cause analysis and data lineage diagram you have generated in Step 3.2. to understand the issues in greater details.
    2. Characterize Each Issue: You may need to generate a data profiling report to characterize the issue. The report can be generated by using data quality suites, BI platforms, or even SQL statements.
    3. Brainstorm the Solutions: As a group, discuss potential ways to fix the issue. You can tackle the issues by approaching from these areas:
    Solution Approaches
    Technology Approach
    People Approach

    X crossover with

    Problematic Areas
    Application/System Design
    Database Design
    Data Integration and Synchronization
    Policies and Procedures
    Business Processes
    1. Document and Communicate: Document the solutions to your data issues. You may need to reuse or refer to the solutions. Also brainstorm some ideas on how to communicate the results back to the business.

    Download this Tool

    Sustaining your data quality requires continuous oversight through a data governance practice

    Quality data is the ultimate outcome of data governance and data quality management. Data governance enables data quality by providing the necessary oversight and controls for business processes in order to maintain data quality. There are three primary groups (at right) that are involved in a mature governance practice. Data quality should be tightly integrated with all of them.

    Define an effective data governance strategy and ensure the strategy integrates well with data quality with Info-Tech’s Establish Data Governance blueprint.

    Visit this link

    Data Governance Council

    This council establishes data management practices that span across the organization. This should be comprised of senior management or C-suite executives that can represent the various departments and lines of business within the organization. The data governance council can help to promote the value of data governance, facilitate a culture that nurtures data quality, and ensure that the goals of the data governance program are well aligned with business objectives.

    Data Owners

    Identifying the data owner role within an organization helps to create a greater degree of accountability for data issues. They often oversee how the data is being generated as well as how it is being consumed. Data owners come from the business side and have legal rights and defined control over a data set. They ensure data is available to the right people within the organization.

    Data Stewards

    Conflict can occur within an organization’s data governance program when a data steward’s role is confused with that of the steering committee’s role. Data stewards exist to enforce decisions made about data governance and data management. Data stewards are often business analysts or power users of a particular system/dataset. Where a data owner is primarily responsible for access, a data steward is responsible for the quality of a dataset.

    Integrate the data quality management strategy with existing data governance committees

    Ongoing and regular data quality management is the responsibility of the data governance bodies of the organization.

    The oversight of ongoing data quality activities rests on the shoulders of the data governance committees that exist in the organization.

    There is no one-size-fits-all data governance structure. However, most organizations follow a similar pattern when establishing committees, councils, and cross-functional groups. They strive to identify roles and responsibilities at a strategic, tactical, and operational level:

    The image shows a pyramid, with Executive Sponsors at the top, with the following roles in descending order: DG Council; Steering Committee; Working Groups; Data Owners and Data Stewards; and Data Users. Along the left side of the pyramid, there are three labels, in ascending order: Operational, Tactical, and Strategic.

    The image is a flow chart showing project roles, in two sections: the top section is labelled Governing Bodies, and the lower section is labelled Data Quality Improvement Team. There is a note indicating that the Data Owner reports to and provides updates regarding the state of data quality and data quality initiatives.

    Create and update the organization’s Business Data Glossary to keep up with current data definitions

    2 hours

    Input

    • Metrics and goals for data quality

    Output

    • Regularly scheduled data quality checkups

    Materials

    • Business Data Glossary Template
    • Data Quality Dashboard

    Participants

    • Data steward

    A crucial aspect of data quality and governance is the Business Data Glossary. The Business Data Glossary helps to align the terminology of the business with the organization’s data assets. It allows the people who interact with the data to quickly identify the applications, processes, and stewardship associated with it, which will enhance the accuracy and efficiency of searches for organization data definitions and attributes, enabling better access to the data. This will, in turn, enhance the quality of the organization’s data because it will be more accurate, relevant, and accessible.

    Use the Business Data Glossary Template to document key aspects of the data, such as:

    • Definition
    • Source System
    • Possible Values
    • Data Steward
    • Data Sensitivity
    • Data Availability
    • Batch or Live
    • Retention

    Data Element

    • Mkt-Product
    • Fin-Product

    Info-Tech Insight

    The Business Data Glossary ensures that the crucial data that has key business use by key business systems and users is appropriately owned and defined. It also establishes rules that lead to proper data management and quality to be enforced by the data owners.

    Download this Tool

    Data Steward(s): Use the Data Quality Improvement Plan of the business unit for ongoing quality monitoring

    Integrating your data quality strategy into the organization’s data governance program requires passing the strategy over to members of the data governance program. The data steward role is responsible for data quality at the business unit level, and should have been involved with the creation and implementation of the data quality improvement project. After the data quality repairs have been made, it is the responsibility of the data steward to regularly monitor the quality of the business unit’s data.

    Create Improvement Plan ↓
    • Data Quality Improvement Team identifies root cause issues.
    • Brainstorm solutions.
    Implement Improvement Plan ↓
    • Data Quality Improvement Team works with IT.
    Sustain Improvement Plan
    • Data Steward should regularly monitor data quality.

    Download this tool

    See Info-Tech’s Data Steward Job Description Template for a detailed understanding of the roles and responsibilities of the data steward.

    Responsible for sustaining

    The image shows a screen capture of a document entitled Business Context & Subject Area Selection.

    Develop a business-facing data quality dashboard to show improvements or a sudden dip in data quality

    One tool that the data steward can take advantage of is the data quality dashboard. Initiatives that are implemented to address data quality must have metrics defined by business objectives in order to demonstrate the value of the data quality improvement projects. In addition, the data steward should have tools for tracking data quality in the business unit to report issues to the data owner and data governance steering committee.

    • Example 1: Marketing uses data for direct mail and e-marketing campaigns. They care about customer data in particular. Specifically, they require high data quality in attributes such as customer name, address, and product profile.
    • Example 2: Alternatively, Finance places emphasis on financial data, focusing on attributes like account balance, latency in payment, credit score, and billing date.

    The image is Business dashboard on Data Quality for Marketing. It features Data Quality metrics, listed in the left column, and numbers for each quarter over the course of one year, on the right.

    Notes on chart:

    General improvement in billing address quality

    Sudden drop in touchpoint accuracy may prompt business to ask for explanations

    Approach to creating a business-facing data quality dashboard:

    1. Schedule a meeting with the functional unit to discuss what key data quality metrics are essential to their business operations. You should consider the business context, functional area, and subject area analyses you completed in Phase 1 as a starting point.
    2. Discuss how to gather data for the key metrics and their associated calculations.
    3. Discuss and decide the reporting intervals.
    4. Discuss and decide the unit of measurement.
    5. Generate a dashboard similar to the example. Consider using a BI or analytics tool to develop the dashboard.

    Data quality management must be sustained for ongoing improvements to the organization’s data

    • Data quality is never truly complete; it is a set of ongoing processes and disciplines that requires a permanent plan for monitoring practices, reviewing processes, and maintaining consistent data standards.
    • Setting the expectation to stakeholders that a long-term commitment is required to maintain quality data within the organization is critical to the success of the program.
    • A data quality maintenance program will continually revise and fine-tune ongoing practices, processes, and procedures employed for organizational data management.

    Data quality is a program that requires continual care:

    →Maintain→Good Data →

    Data quality management is a long-term commitment that shifts how an organization views, manages, and utilizes its corporate data assets. Long-term buy-in from all involved is critical.

    “Data quality is a process. We are trying to constantly improve the quality over time. It is not a one-time fix.” – Akin Akinwumi, Manager of Data Governance, Startech.com

    Define a data quality review agenda for data quality sustainment

    2 hours

    Input

    • Metrics and goals for data quality

    Output

    • Regularly scheduled data quality checkups

    Materials

    • Data Quality Diagnostic
    • Data Quality Dashboard

    Participants

    • Data Steward

    As a data steward, you are responsible for ongoing data quality checks of the business unit’s data. Define an improvement agenda to organize the improvement activities. Organize the activities yearly and quarterly to ensure improvement is done year-round.

    Quarterly

    • Measure data quality metrics against milestones. Perform a regular data quality health check with Info-Tech’s Data Quality Diagnostic.
    • Review the business unit’s Business Data Glossary to ensure that it is up to date and comprehensive.
    • Assess progress of practice area initiatives (time, milestones, budget, benefits delivered).
    • Analyze overall data quality and report progress on key improvement projects and corrective actions in the executive dashboard.
    • Communicate overall status of data quality to oversight body.

    Annually

    • Calculate your current baseline and measure progress by comparing it to previous years.
    • Set/revise quality objectives for each practice area and inter-practice hand-off processes.
    • Re-evaluate/re-establish data quality objectives.
    • Set/review data quality metrics and tracking mechanisms.
    • Set data quality review milestones and timelines.
    • Revisit data quality training from an end-user perspective and from a practitioner perspective.

    Info-Tech Insight

    Do data quality diagnostic at the beginning of any improvement plan, then recheck health with the diagnostic at regular intervals to see if symptoms are coming back. This should be a monitoring activity, not a data quality fixing activity. If symptoms are bad enough, repeat the improvement plan process.

    Take the next step in your Data & Analytics Journey

    After establishing your data quality program, look to increase your data & analytics maturity.

    • Artificial Intelligence (AI) is a concept that many organizations strive to implement. AI can really help in areas such as data preparation. However, implementing AI solutions requires a level of maturity that many organizations are not at.
    • While a solid data quality foundation is essential for AI initiatives being successful, AI can also ensure high data quality.
    • An AI analytics solution can address data integrity issues at the earliest point of data processing, rapidly transforming these vast volumes of data into trusted business information. This can be done through Anomaly detection, which flags “bad” data, identifying suspicious anomalies that can impact data quality. By tracking and evaluating data, anomaly detection gives critical insights into data quality as data is processed. (Ira Cohen, The End to a Never-Ending Story? Improve Data Quality with AI Analytics, anodot, 2020)

    Consider… “Garbage in, garbage out.”

    Lay a solid foundation by addressing your data quality issues prior to investing heavily in an AI solution.

    Related Info-Tech Research

    Are You Ready for AI?

    • Use AI as a compelling event to expedite funding, resources, and project plans for your data-related initiatives. Check out this note to understand what it takes to be ready to implement AI solutions.

    Get Started With Artificial Intelligence

    • Current AI technology is data-enabled, automated, adaptive decision support. Once you believe you are ready for AI, check out this blueprint on how to get started.

    Build a Data Architecture Roadmap

    • The data lineage diagram was a key tool used in establishing your data quality program. Check out this blueprint and learn how to optimize your data architecture to provide greatest value from data.

    Create an Architecture for AI

    • Build your target state architecture from predefined best practice building blocks. This blueprint assists members first to assess if they have the maturity to embrace AI in their organization, and if so, which AI acquisition model fits them best.

    Phase 4 Summary

    1. Data Quality Improvement Strategy
    • Brainstorm solutions to your data quality issues using the following data quality improvement strategies as a guide:
      1. Fix data quality issues by improving system/application design
      2. Fix data quality issues using proper database design
      3. Improve integration and synchronization of enterprise data
      4. Improve data quality policies and procedures
      5. Streamline and optimize business processes
  • Sustain Your Data Quality Program
    • Quality data is the ultimate outcome of data governance and data quality management.
    • Sustaining your data quality requires continuous oversight through a data governance practice.
    • There are three primary groups (Data Governance Council, Data Owners, and Data Stewards) that are involved in a mature governance practice.
  • Grow Your Data & Analytics Maturity
    • After establishing your data quality program, take the next step in increasing your data & analytics maturity.
    • Good data quality is the foundation of pursuing different ways of maximizing the value of your data such as implementing AI solutions.
    • Continue your data & analytics journey by referring to Info-Tech’s quality research.
  • Research Contributors and Experts

    Izabela Edmunds

    Information Architect Mott MacDonald

    Akin Akinwumi

    Manager of Data Governance Startech.com

    Diraj Goel

    Growth Advisor BC Tech

    Sujay Deb

    Director of Data Analytics Technology and Platforms Export Development Canada

    Asif Mumtaz

    Data & Solution Architect Blue Cross Blue Shield Association

    Patrick Bossey

    Manager of Business Intelligence Crawford and Company

    Anonymous Contributors

    Ibrahim Abdel-Kader

    Research Specialist Info-Tech Research Group

    Ibrahim is a Research Specialist at Info-Tech Research Group. In his career to date he has assisted many clients using his knowledge in process design, knowledge management, SharePoint for ECM, and more. He is expanding his familiarity in many areas such as data and analytics, enterprise architecture, and CIO-related topics.

    Reddy Doddipalli

    Senior Workshop Director Info-Tech Research Group

    Reddy is a Senior Workshop Director at Info-Tech Research Group, focused on data management and specialized analytics applications. He has over 25 years of strong industry experience in IT leading and managing analytics suite of solutions, enterprise data management, enterprise architecture, and artificial intelligence–based complex expert systems.

    Andy Neill

    Practice Lead, Data & Analytics and Enterprise Architecture Info-Tech Research Group

    Andy leads the data and analytics and enterprise architecture practices at ITRG. He has over 15 years of experience in managing technical teams, information architecture, data modeling, and enterprise data strategy. He is an expert in enterprise data architecture, data integration, data standards, data strategy, big data, and development of industry standard data models.

    Crystal Singh

    Research Director, Data & Analytics Info-Tech Research Group

    Crystal is a Research Director at Info-Tech Research Group. She brings a diverse and global perspective to her role, drawing from her professional experiences in various industries and locations. Prior to joining Info-Tech, Crystal led the Enterprise Data Services function at Rogers Communications, one of Canada’s leading telecommunications companies.

    Igor Ikonnikov

    Research Director, Data & Analytics Info-Tech Research Group

    Igor is a Research Director at Info-Tech Research Group. He has extensive experience in strategy formation and execution in the information management domain, including master data management, data governance, knowledge management, enterprise content management, big data, and analytics.

    Andrea Malick

    Research Director, Data & Analytics Info-Tech Research Group

    Andrea Malick is a Research Director at Info-Tech Research Group, focused on building best practices knowledge in the enterprise information management domain, with corporate and consulting leadership in enterprise architecture and content management (ECM).

    Natalia Modjeska

    Research Director, Data & Analytics Info-Tech Research Group

    Natalia Modjeska is a Research Director at Info-Tech Research Group. She advises members on topics related to AI, machine learning, advanced analytics, and data science, including ethics and governance. Natalia has over 15 years of experience in developing, selling, and implementing analytical solutions.

    Rajesh Parab

    Research Director, Data & Analytics Info-Tech Research Group

    Rajesh Parab is a Research Director at Info-Tech Research Group. He has over 20 years of global experience and brings a unique mix of technology and business acumen. He has worked on many data-driven business applications. In his previous architecture roles, Rajesh created a number of product roadmaps, technology strategies, and models.

    Bibliography

    Amidon, Kirk. "Case Study: How Data Quality Has Evolved at MathWorks." The Fifth MIT Information Quality Industry Symposium. 13 July 2011. Web. 19 Aug. 2015.

    Boulton, Clint. “Disconnect between CIOs and LOB managers weakens data quality.” CIO. 05 February 2016. Accessed June 2020.

    COBIT 5: Enabling Information. Rolling Meadows, IL: ISACA, 2013. Web.

    Cohen, Ira. “The End to a Never-Ending Story? Improve Data Quality with AI Analytics.” anodot. 2020.

    “DAMA Guide to the Data Management Body of Knowledge (DAMA-DMBOK Guide).” First Edition. DAMA International. 2009. Digital. April 2014.

    "Data Profiling: Underpinning Data Quality Management." Pitney Bowes. Pitney Bowes - Group 1 Software, 2007. Web. 18 Aug. 2015.

    Data.com. “Data.com Clean.” Salesforce. 2016. Web. 18 Aug. 2015.

    “Dawn of the CDO." Experian Data Quality. 2015. Web. 18 Aug. 2015.

    Demirkan, Haluk, and Bulent Dal. "Why Do So Many Analytics Projects Fail?" The Data Economy: Why Do so Many Analytics Projects Fail? Analytics Magazine. July-Aug. 2014. Web.

    Dignan, Larry. “CIOs juggling digital transformation pace, bad data, cloud lock-in and business alignment.” ZDNet. 11 March 2020. Accessed July.

    Dumbleton, Janani, and Derek Munro. "Global Data Quality Research - Discussion Paper 2015." Experian Data Quality. 2015. Web. 18 Aug. 2015.

    Eckerson, Wayne W. "Data Quality and the Bottom Line - Achieving Business Success through a Commitment to High Quality Data." The Data Warehouse Institute. 2002. Web. 18 Aug. 2015.

    “Infographic: Data Quality in BI the Costs and Benefits.” HaloBI. 2015 Web.

    Lee, Y.W. and Strong, D.M. “Knowing-Why About Data Processes and Data Quality.” Journal of Management Information Systems. 2004.

    “Making Data Quality a Way of Life.” Cognizant. 2014. Web. 18 Aug. 2015.

    "Merck Serono Achieves Single Source of Truth with Comprehensive RIM Solutions." www.productlifegroup.com. ProductLife Group. 15 Apr. 2015. Web. 23 Nov. 2015.

    Myers, Dan. “List of Conformed Dimensions of Data Quality.” Conformed Dimensions of Data Quality (CDDQ). 2019. Web.

    Redman, Thomas C. “Make the Case for Better Data Quality.” Harvard Business Review. 24 Aug. 2012. Web. 19 Aug. 2015.

    RingLead Data Management Solutions. “10 Stats About Data Quality I Bet You Didn’t Know.” RingLead. Accessed 7 July 2020.

    Schwartzrock, Todd. "Chrysler's Data Quality Management Case Study." Online video clip. YouTube. 21 April. 2011. Web. 18 Aug. 2015

    “Taking control in the digital age.” Experian Data Quality. Jan 2019. Web.

    “The data-driven organization, a transformation in progress.” Experian Data Quality. 2020. Web.

    "The Data Quality Benchmark Report." Experian Data Quality. Jan. 2015. Web. 18 Aug. 2015.

    “The state of data quality.” Experian Data Quality. Sept. 2013. Web. 17 Aug. 2015.

    Vincent, Lanny. “Differentiating Competence, Capability and Capacity.” Innovation Management Services. Web. June 2008.

    “7 ways poor data quality is costing your business.” Experian Data Quality. July 2020. Web.

    Build a Value Measurement Framework

    • Buy Link or Shortcode: {j2store}182|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $82,374 Average $ Saved
    • member rating average days saved: 35 Average Days Saved
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Rapid changes in today’s market require rapid, value-based decisions, and organizations that lack a shared definition of value fail to maintain their competitive advantage.
    • Different parts of an organization have different value drivers that must be given balanced consideration.
    • Focusing solely on revenue ignores the full extent of value creation in your organization and does not necessarily result in the right outcomes.

    Our Advice

    Critical Insight

    • Business is the authority on business value. While IT can identify some sources of value, business stakeholders must participate in the creation of a definition that is meaningful to the whole organization.
    • It’s about more than profit. Organizations must have a definition that encompasses all of the sources of value or they risk making short-term decisions with long-term negative impacts.
    • Technology creates business value. Treating IT as a cost center makes for short-sighted decisions in a world where every business process is enabled by technology.

    Impact and Result

    • Standardize your definition of business value. Work with your business partners to define the different sources of business value that are created through technology-enabled products and services.
    • Weigh your value drivers. Ensure that business and IT understand the relative weight and priority of the different sources of business value you have identified.
    • Use a balanced scorecard to understand value. Use the different value drivers to understand and prioritize different products, applications, projects, initiatives, and enhancements.

    Build a Value Measurement Framework Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand why building a consistent and aligned framework to measure the value of your products and services is vital for setting priorities and getting the business on board.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define your value drivers

    This phase will help you define and weigh value drivers based on overarching organizational priorities and goals.

    • Build a Value Measurement Framework – Phase 1: Define Your Value Drivers
    • Value Calculator

    2. Measure value

    This phase will help you analyze the value sources of your products and services and their alignment to value drivers to produce a value score that you can use for prioritization.

    • Build a Value Measurement Framework – Phase 2: Measure Value
    [infographic]

    Further reading

    Build a Value Measurement Framework

    Focus product delivery on business value–driven outcomes.

    ANALYST PERSPECTIVE

    "A meaningful measurable definition of value is the key to effectively managing the intake, prioritization, and delivery of technology-enabled products and services."

    Cole Cioran,

    Senior Director, Research – Application Development and Portfolio Management

    Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • CIOs who need to understand the value IT creates
    • Application leaders who need to make good decisions on what work to prioritize and deliver
    • Application and project portfolio managers who need to ensure the portfolio creates business value
    • Product owners who are accountable for delivering value

    This Research Will Help You:

    • Define quality in your organization’s context from both business and IT perspectives.
    • Define a repeatable process to understand the value of a product, application, project, initiative, or enhancement.
    • Define value sources and metrics.
    • Create a tool to make it easier to balance different sources of value.

    This Research Will Also Assist:

    • Product and application delivery teams who want to make better decisions about what they deliver
    • Business analysts who need to make better decisions about how to prioritize their requirements

    This Research Will Help Them:

    • Create a meaningful relationship with business partners around what creates value for the organization.
    • Enable better understanding of your customers and their needs.

    Executive summary

    Situation

    • Measuring the business value provided by IT is critical for improving the relationship between business and IT.
    • Rapid changes in today’s market require rapid, value-based decisions.
    • Every organization has unique drivers that make it difficult to see the benefits based on time and impact approaches to prioritization.

    Complication

    • An organization’s lack of a shared definition of value leads to politics and decision making that does not have a firm, quantitative basis.
    • Different parts of an organization have different value drivers that must be given balanced consideration.
    • Focusing solely on revenue does not necessarily result in the right outcomes.

    Resolution

    • Standardize your definition of business value. Work with your business partners to define the different sources of business value that are created through technology-enabled products and services.
    • Weigh your value drivers. Ensure business and IT understand the relative weight and priority of the different sources of business value you have identified.
    • Use a balanced scorecard to understand value. Use the different value drivers to understand and prioritize different products, applications, projects, initiatives, and enhancements.

    Info-Tech Insight

    1. Business is the authority on business value. While IT can identify some sources of value, business stakeholders must participate in the creation of a definition that is meaningful to the whole organization.
    2. It’s about more than profit. Organizations must have a definition that encompasses all of the sources of value, or they risk making short-term decisions with long-term negative impacts.
    3. Technology creates business value. Treating IT as a cost center makes for short-sighted decisions in a world where every business process is enabled by technology.

    Software is not currently creating the right outcomes

    Software products are taking more and more out of IT budgets.

    38% of spend on IT employees goes to software roles.

    Source: Info-Tech’s Staffing Survey

    18% of opex is spent on software licenses.

    Source: SoftwareReviews.com

    33% of capex is spent on new software.

    However, the reception and value of software products do not justify the money invested.

    Only 34% of software is rated as both important and effective by users.

    Source: Info-Tech’s CIO Business Vision

    IT benchmarks do not help or matter to the business. Focus on the metrics that represent business outcomes.

    A pie chart is shown as an example to show how benchmarks do not help the business.

    IT departments have a tendency to measure only their own role-based activities and deliverables, which only prove useful for selling practice improvement services. Technology doesn’t exist for technology's sake. It’s in place to generate specific outcomes. IT and the business need to be aligned toward a common goal of enabling business outcomes, and that’s the important measurement.

    "In today’s connected world, IT and business must not speak different languages. "

    – Cognizant, 2017

    CxOs stress the importance of value as the most critical area for IT to improve reporting

    A bar graph is shown to demonstrate the CxOs importance of value. Business value metrics are 32% of significant improvement necessary, and 51% where some improvement is necessary.

    N=469 CxOs from Info-Tech’s CEO/CIO Alignment Diagnostic

    Key stakeholders want to know how you and your products or services help them realize their goals.

    While the basics of value are clear, few take the time to reach a common definition and means to measure and apply value

    Often, IT misses the opportunity to become a strategic partner because it doesn’t understand how to communicate and measure its value to the business.

    "Price is what you pay. Value is what you get."

    – Warren Buffett

    Being able to understand the value context will allow IT to articulate where IT spend supports business value and how it enables business goal achievement.

    Value is...

    Derived from business context

  • What is our business context?
  • Enabled through governance and strategy

  • Who sees the strategy through?
  • The underlying context for decision making

  • How is value applied to support decisions?
  • A measure of achievement

  • How do I measure?
  • Determine your business context by assessing the goals and defining the unique value drivers in your organization

    Competent organizations know that value cannot always be represented by revenue or reduced expenses. However, it is not always apparent how to envision the full spectrum of sources of value. Dissecting value by the benefit type and the value source’s orientation allows you to see the many ways in which a product or service brings value to the organization.

    A business value matrix is shown. It shows the relationship between reading customers, increase revenue, reduce costs, and enhance services.

    Financial Benefits vs. Improved Capabilities

    Financial Benefits refers to the degree to which the value source can be measured through monetary metrics and is often quite tangible. Human Benefits refers to how a product or service can deliver value through a user’s experience.

    Inward vs. Outward Orientation

    Inward refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations.Outward refers to value sources that come from your interaction with external factors, such as the market or your customers.

    Increase Revenue

    Reduce Costs

    Enhance Services

    Reach Customers

    Product or service functions that are specifically related to the impact on your organization’s ability to generate revenue.

    Reduction of overhead. They typically are less related to broad strategic vision or goals and more simply limit expenses that would occur had the product or service not been put in place.

    Functions that enable business capabilities that improve the organization’s ability to perform its internal operations.

    Application functions that enable and improve the interaction with customers or produce market information and insights.

    See your strategy through by involving both IT and the business

    Buy-in for your IT strategy comes from the ability to showcase value. IT needs to ensure it has an aligned understanding of what is valuable to the organization.

    Business value needs to first be established by the business. After that, IT can build a partnership with the business to determine what that value means in the context of IT products and services.

    The Business

    What the Business and IT have in common

    IT

    Keepers of the organization’s mission, vision, and value statements that define IT success. The business maintains the overall ownership and evaluation of the products along with those most familiar with the capabilities or processes enabled by technology.

    Business Value of Products and Services

    Technical subject matter experts of the products and services they deliver and maintain. Each IT function works together to ensure quality products and services are delivered up to stakeholder expectations.

    Measure your product or services with Info-Tech’s Value Measurement Framework (VMF) and value scores

    The VMF provides a consistent and less subjective approach to generating a value score for an application, product, service, or individual feature, by using business-defined value drivers and product-specific value metrics.

    Info-Tech's Value Measurement Framework is shown.

    A consistent set of established value drivers, sources, and metrics gives more accurate comparisons of relative value

    Value Drivers

    Value Sources

    Value Fulfillment Metrics

    Broad categories of values, weighed and prioritized based on overarching goals

    Instances of created value expressed as a “business outcome” of a particular function

    Units of measurement and estimated targets linked to a value source

    Reach Customers

    Customer Satisfaction

    Net Promoter Score

    Customer Loyalty

    # of Repeat Visits

    Create Revenue Streams

    Data Monetization

    Dollars Derived From Data Sales

    Leads Generation

    Leads Conversation Rate

    Operational Efficiency

    Operational Efficiency

    Number of Interactions

    Workflow Management

    Cycle Time

    Adhere to regulations & compliance

    Number of Policy Exceptions

    A balanced and weighted scorecard allows you to measure the various ways products generate value to the business

    The Info-Tech approach to measuring value applies the balanced value scorecard approach.

    Importance of value source

    X

    Impact of value source

    = Value Score

    Which is based on…

    Which is based on…

    Alignment to value driver

    Realistic targets for the KPI

    Which is weighed by…

    Which is estimated by…

    A 1-5 scale of the relative importance of the value driver to the organization

    A 1-5 scale of the application or feature’s ability to fulfill that value source

    +

    Importance of Value Source

    X

    Impact of Value Source

    +

    Importance of Value Source

    +

    Impact of Value Source

    +

    Importance of Value Source

    +

    Impact of Value Source

    +

    Importance of Value Source

    +

    Impact of Value Source

    =

    Balanced Business Value Score

    Value Score1 + VS2 + … + VSN = Overall Balance Value Score

    Value scores help support decisions. This blueprint looks specifically at four use cases for value scores.

    A value score is an input to the following activities:

    1. Prioritize Your Product Backlog
    2. Estimate the relative value of different product backlog items (i.e. epics, features, etc.) to ensure the highest value items are completed first.

      This blueprint can be used as an input into Info-Tech’s Build a Better Backlog.

    3. Prioritize Your Project Backlog
    4. Estimate the relative value of proposed new applications or major changes or enhancements to existing applications to ensure the right projects are selected and completed first.

      This blueprint can be used as an input into Info-Tech’s Optimize Project Intake, Approval, and Prioritization.

    5. Rationalize Your Applications
    6. Gauge the relative value from the current use of your applications to support strategic decision making such as retirement, consolidation, and further investments.

      This blueprint can be used as an input into Info-Tech’s Visualize Your Application Portfolio Strategy With a Business Value-Driven Roadmap.

    7. Categorize Application Tiers
    8. Gauge the relative value of your existing applications to distinguish your most to least important systems and build tailored support structures that limit the downtime of key value sources.

      This blueprint can be used as an input into Info-Tech’s Streamline Application Maintenance.

    The priorities, metrics, and a common understanding of value in your VMF carry over to many other Info-Tech blueprints

    Transition to Product Delivery

    Build a Product Roadmap

    Modernize Your SDLC

    Build a Strong Foundation for Quality

    Implement Agile Practices That Work

    Use Info-Tech’s Value Calculator

    The Value Calculator facilitates the activities surrounding defining and measuring the business value of your products and services.

    Use this tool to:

    • Weigh the importance of each Value Driver based on established organizational priorities.
    • Create a repository for Value Sources to provide consistency throughout each measurement.
    • Produce an Overall Balanced Value Score for a specific item.

    Info-Tech Deliverable

    A screenshot of Info-Tech's Value Calculator is shown.

    Populate the Value Calculator as you complete the activities and steps on the following slides.

    Limitations of the Value Measurement Framework

    "All models are wrong, but some are useful."

    – George E.P. Box, 1979

    Value is tricky: Value can be intangible, ambiguous, and cause all sorts of confusion, with the multiple, and often conflicting, priorities any organization is sure to have. You won’t likely come to a unified understanding of value or an agreement on whether one thing is more valuable than something else. However, this doesn’t mean you shouldn’t try. The VMF provides a means to organize various priorities in a meaningful way and to assess the relative value of a product or service to guide managers and decision makers on the right track and keep alignment with the rest of the organization.

    Relative value vs. ROI: This assessment produces a score to determine the value of a product or service relative to other products or services. Its primary function is to prioritize similar items (projects, epics, requirements, etc.) as opposed to producing a monetary value that can directly justify cost and make the case for a positive ROI.

    Apply caution with metrics: We live in a metric-crazed era, where everything is believed to be measurable. While there is little debate over recent advances in data, analytics, and our ability to trace business activity, some goals are still quite intangible, and managers stumble trying to link these goals to a quantifiable data source.

    In applying the VMF Info-Tech urges you to remember that metrics are not a magical solution. They should be treated as a tool in your toolbox and are sometimes no more than a rough gauge of performance. Carefully assign metrics to your products and services and do not disregard the informed subjective perspective when SMART metrics are unavailable.

    "One of the deadly diseases of management is running a company on visible figures alone."

    – William Edwards Deming, 1982

    Info-Tech’s Build a Value Measurement Framework glossary of terms

    This blueprint discusses value in a variety of ways. Use our glossary of terms to understand our specific focus.

    Value Measurement Framework (VMF)

    A method of measuring relative value for a product or service, or the various components within a product or service, through the use of metrics and weighted organizational priorities.

    Value Driver

    A board organizational goal that acts as a category for many value sources.

    Value Source

    A specific business goal or outcome that business and product or service capabilities are designed to fulfill.

    Value Fulfillment

    The degree to which a product or service impacts a business outcome, ideally linked to a metric.

    Value Score

    A measurement of the value fulfillment factored by the weight of the corresponding value driver.

    Overall Balanced Value Score

    The combined value scores of all value sources linked to a product or service.

    Relative Value

    A comparison of value between two similar items (i.e. applications to applications, projects to projects, feature to feature).

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Build a Value Measurement Framework – project overview

    1. Define Your Value Drivers

    2. Measure Value

    Best-Practice Toolkit

    1.1 Identify your business value authorities.

    2.1 Define your value drivers.

    2.2 Weigh your value drivers.

    • Identify your product or service SMEs.
    • List your products or services items and components.
    • Identify your value sources.
    • Align to a value driver.
    • Assign metrics and gauge value fulfillment.

    Guided Implementations

    Identify the stakeholders who should be the authority on business value.

    Identify, define, and weigh the value drivers that will be used in your VMF and all proceeding value measurements.

    Identify the stakeholders who are the subject matter experts for your products or services.

    Measure the value of your products and services with value sources, fulfillment, and drivers.

    Outcome:

    • Value drivers and weights

    Outcome:

    • An initial list of reusable value sources and metrics
    • Value scores for your products or services

    Phase 1

    Define Your Value Drivers

    First determine your value drivers and add them to your VMF

    One of the main aspects of the VMF is to apply consistent and business-aligned weights to the products or services you will evaluate.

    This is why we establish your value drivers first:

    • Get the right executive-level “value authorities” to establish the overarching weights.
    • Build these into the backbone of the VMF to consistently apply to all your future measurements.
    An image of the Value Measure Framework is shown.

    Step 1.1: Identify Value Authorities

    Phase 1

    1.1: Identify Value Authorities

    1.2: Define Value Drivers

    Phase 2

    2.1: Identify Product or Service SMEs

    2.2: Measure Value

    This step will walk you through the following activities:

    • Identify your authorities on business value.

    This step involves the following participants:

    • Owners of your value measurement framework

    Outcomes of this step

    • Your list of targeted individuals to include in Step 2.1

    Business value is best defined and measured by the combined effort and perspective of both IT and the business

    Buy-in for your IT strategy comes from the ability to showcase value. IT needs to ensure it has an aligned understanding of what is valuable to the organization. First, priorities need to be established by the business. Second, IT can build a partnership with the business to determine what that value means in the context of IT products and services.

    The Business

    What the Business and IT have in common

    IT

    Keepers of the organization’s mission, vision, and value statements that define IT success. The business maintains the overall ownership and evaluation of the products along with those most familiar with the capabilities or processes enabled by technology.

    Business Value of Products and Services

    Technical subject matter experts of the products and services they deliver and maintain. Each IT function works together to ensure quality products and services are delivered up to stakeholder expectations.

    Engage key stakeholders to reach a consensus on organizational priorities and value drivers

    Engage these key players to create your value drivers:

    CEO: Who better holds the vision or mandate of the organization than its leader? Ideally, they are front and center for this discussion.

    CIO: IT must ensure that technical/practical considerations are taken into account when determining value.

    CFO: The CFO or designated representative will ensure that estimated costs and benefits can be used to manage the budgets.

    VPs: Application delivery and mgmt. is designed to generate value for the business. Senior management from business units must help define what that value is.

    Evaluators (PMO, PO, APM, etc.): Those primarily responsible for applying the VMF should be present and active in identifying and carefully defining your organization’s value drivers.

    Steering Committee: This established body, responsible for the strategic direction of the organization, is really the primary audience.

    Identify your authorities of business value to identify, define, and weigh value drivers

    1.1 Estimated Time: 15 minutes

    The objective of this exercise is to identify key business stakeholders involved in strategic decision making at an organizational level.

    1. Review your organization’s governance structure and any related materials.
    2. Identify your key business stakeholders. These individuals are the critical business strategic partners.
      1. Target those who represent the business at an organizational level and often comprise the organization’s governing bodies.
      2. Prioritize a product backlog – include product owners and product managers who are in tune with the specific value drivers of the product in question.

    INFO-TECH TIP

    If your organization does not have a formal governance structure, your stakeholders would be the key players in devising business strategy. For example:

    • CEO
    • CFO
    • BRMs
    • VPs

    Leverage your organizational chart, governing charter, and senior management knowledge to better identify key stakeholders.

    INPUT

    • Key decision maker roles

    OUTPUT

    • Targeted individuals to define and weigh value drivers

    Materials

    • N/A

    Participants

    • Owner of the value measurement framework

    Step 1.2: Define Value Drivers

    Phase 1

    1.1: Identify Value Authorities

    1.2: Define Value Drivers

    Phase 2

    2.1: Identify Product or Service SMEs

    2.2: Measure Value

    This step will walk you through the following activities:

    • Define your value drivers.
    • Weigh your value drivers.

    This step involves the following participants:

    • Owners of your value measurement framework
    • Authorities of business value

    Outcomes of this step

    • A list of your defined and weighted value drivers

    Value is based on business needs and vision

    Value is subjective. It is defined through the organization’s past achievement and its future objectives.

    Purpose & Mission

    Past Achievement & Current State

    Vision & Future State

    Culture & Leadership

    There must be a consensus view of what is valuable within the organization, and these values need to be shared across the enterprise. Instead of maintaining siloed views and fighting for priorities, all departments must have the same value and purpose in mind. These factors – purpose and mission, past achievement and current state, vision and future state, and culture and leadership – impact what is valuable to the organization.

    Value derives from the mission and vision of an organization; therefore, value is unique to each organization

    Business value represents what the business needs to do to achieve its target state. Establishing the mission and vision helps identify that target state.

    Mission

    Vision

    Business Value

    Why does the company exist?

    • Specify the company’s purpose, or reason for being, and use it to guide each day’s activities and decisions.

    What does the organization see itself becoming?

    • Identify the desired future state of the organization. The vision articulates the role the organization strives to play and the way it wants to be perceived by the customer.
    • State the ends, rather than the means, to get to the future state.

    What critical factors fulfill the mission and vision?

    • Articulate the important capabilities the business should have in order to achieve its objectives. All business activities must enable business value.
    • Communicate the means to achieve the mission and vision.

    Understand the many types of value your products or services produce

    Competent organizations know that value cannot always be represented by revenue or reduced expenses. However, it is not always apparent how to envision the full spectrum of value sources. Dissecting value by the benefit type and the value source’s orientation allows you to see the many ways in which a product or service brings value to the organization.

    A business value matrix is shown. It shows the relationship between reading customers, increase revenue, reduce costs, and enhance services.

    Financial Benefits vs. Improved Capabilities

    Financial Benefits refers to the degree to which the value source can be measured through monetary metrics and is often quite tangible. Human Benefits refers to how a product or service can deliver value through a user’s experience.

    Inward vs. Outward Orientation

    Inward refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations. Outward refers to value sources that come from your interaction with external factors, such as the market or your customers.

    Increase Revenue

    Reduce Costs

    Enhance Services

    Reach Customers

    Product or service functions that are specifically related to the impact on your organization’s ability to generate revenue.

    Reduction of overhead. They typically are less related to broad strategic vision or goals and more simply limit expenses that would occur had the product or service not been put in place.

    Functions that enable business capabilities that improve the organization’s ability to perform its internal operations.

    Application functions that enable and improve the interaction with customers or produce market information and insights.

    Expand past Info-Tech’s high-level value quadrants and identify the value drivers specific to your organization

    Different industries have a wide range of value drivers. Consider the difference between public and private entities with respect to generating revenue or reaching their customers or other external stakeholders. Even organizations in the same industry may have different values. For example, a mature, well-established manufacturer may view reputation and innovation as its highest-priority values, whereas a struggling manufacturer will see revenue or market share growth as its main drivers.

    Value Drivers

    Increase Revenue

    Reduce Costs

    Enhance Services

    Reach Customers

    • Revenue growth
    • Data monetization
    • Cost optimization
    • Labor reduction
    • Collaboration
    • Risk and compliance
    • Customer experience
    • Trust and reputation

    You do not need to dissect each quadrant into an exhaustive list of value drivers. Info-Tech recommends defining distinct value drivers only for the areas you’ve identified as critical to your organization’s core goals and objectives.

    Understand value drivers that enable revenue growth

    Direct Revenue

    This value driver is the ability of a product or service to directly produce revenue through core revenue streams.

    Can be derived from:

    • Creating revenue
    • Improving the revenue generation of an existing service
    • Preventing the loss of a revenue stream

    Be aware of the differences between your products and services that enable a revenue source and those that facilitate the flow of capital.

    Funding

    This value driver is the ability of a product or service to enable other types of funding unrelated to core revenue streams.

    Can be derived from:

    • Tax revenue
    • Fees, fines, and ticketing programs
    • Participating in government subsidy or grant programs

    Be aware of the difference between your products and services that enable a revenue source and those that facilitate the flow of capital.

    Scale & Growth

    In essence, this driver can be viewed as the potential for growth in market share or new developing revenue sources.

    Does the product or service:

    • Increase your market share
    • Help you maintain your market share

    Be cautious of which items you identify here, as many innovative activities may have some potential to generate future revenue. Stick to those with a strong connection to future revenue and don’t qualify for other value driver categories.

    Monetization of Assets

    This value driver is the ability of your products and services to generate additional assets.

    Can be derived from:

    • Sale of data
    • Sale of market or customer reports or analysis
    • Sale of IP

    This value source is often overlooked. If given the right attention, it can lead to a big win for IT’s role in the business.

    Understand value drivers that reduce costs

    Cost Reduction

    A cost reduction is a “hard” cost saving that is reflected as a tangible decrease to the bottom line.

    This can be derived from reduction of expenses such as:

    • Salaries and wages
    • Hardware/software maintenance
    • Infrastructure

    Cost reduction plays a critical role in an application’s ability to increase efficiency.

    Cost Avoidance

    A cost avoidance is a “soft” cost saving, typically achieved by preventing a cost from occurring in the first place (i.e. risk mitigation). Cost avoidance indirectly impacts the bottom line.

    This can be derived from prevention of expenses by:

    • Mitigating a business outage
    • Mitigating another risk event
    • Delaying a price increase

    Understand the value drivers that enhance your services

    Enable Core Operations

    Some applications are in place to facilitate and support the structure of the organization. These vary depending on the capabilities of your organization but should be assessed in relation to the organization’s culture and structure.

    • Enables a foundational capability
    • Enables a niche capability

    This example is intentionally broad, as “core operations” should be further dissected to define different capabilities with ranging priority.

    Compliance

    A product or service may be required in order to meet a regulatory requirement. In these cases, you need to be aware of the organizational risk of NOT implementing or maintaining a service in relation to those risks.

    In this case, the product or service is required in order to:

    • Prevent fines
    • Allow the organization to operate within a specific jurisdiction
    • Remediate audit gaps
    • Provide information required to validate compliance

    Internal Improvement

    An application’s ability to create value outside of its core operations and facilitate the transfer of information, insights, and knowledge.

    Value can be derived by:

    • Data analytics
    • Collaboration
    • Knowledge transfer
    • Organizational learning

    Innovation

    Innovation is typically an ill-defined value driver, as it refers to the ability of your products and services to explore new value streams.

    Consider:

    • Exploration into new markets and products
    • New methods of organizing resources and processes

    Innovation is one of the more divisive value drivers, as some organizations will strive to be cutting edge and others will want no part in taking such risks.

    Understand business value drivers that connect the business to your customers

    Policy

    Products and services can also be assessed in relation to whether they enable and support policies of the organization. Policies identify and reinforce required processes, organizational culture, and core values.

    Policy value can be derived from:

    • The service or initiative will produce outcomes in line with our core organizational values.
    • Products that enable sustainability and corporate social responsibility

    Experience

    Applications are often designed to improve the interaction between customer and product. This value type is most closely linked to product quality and user experience. Customers, in this sense, can also include any stakeholders who consume core offerings.

    Customer experience value can be derived from:

    • Improving customer satisfaction
    • Ease of use
    • Resolving a customer issue or identified pain point
    • Providing a competitive advantage for your customers

    Customer Information

    Understanding demand and customer trends is a core driver for all organizations. Data provided through understanding the ways, times, and reasons that consumers use your services is a key driver for growth and stability.

    Customer information value can be achieved when an app:

    • Addresses strategic opportunities or threats identified through analyzing trends
    • Prevents failures due to lack of capacity to meet demand
    • Connects resources to external sources to enable learning and growth within the organization

    Trust & Reputation

    Products and services are designed to enable goals of digital ethics and are highly linked to your organization’s brand strategy.

    Trust and reputation can also be described as:

    • Customer loyalty and sustainability
    • Customer privacy and digital ethics

    Prioritizing this value source is critical, as traditional priorities can often come at the expense of trust and reputation.

    Define your value drivers

    1.2 Estimated Time: 1.5 hours

    The objective of this exercise is to establish a common understanding of the different values of the organization.

    1. Place your business value authorities at the center of this exercise.
    2. Collect all the documents your organization has on the mission and vision, strategy, governance, and target state, which may be defined by enterprise architecture.
    3. Identify the company mission and vision. Simply transfer the information from the mission and vision document into the appropriate spaces in the business value statement.
    4. Determine the organization’s business value drivers. Use the mission and vision, as well as the information from the collected documents, to formulate your own idea of business values.
    5. Use value driver template on the next slide to define the value driver, including:
    • Value Driver Name
    • Description
    • Related Business Capabilities – If available, review business architecture materials, such as business capability maps.
    • Established KPI and Targets – If available, include any organization-wide established KPIs related to your value driver. These KPIs will likely be used or influence the metrics eventually assigned to your applications.

    INPUT

    • Mission, vision, value statements

    OUTPUT

    • List and description of value drivers

    Materials

    • Whiteboard
    • Markers

    Participants

    • Business value authorities
    • Owner of value measurement framework

    Example Value Driver

    Value Driver Name

    Reach Customers

    Value Driver Description

    Our organization’s ability to provide quality products and experience to our core customers

    Value Driver Weight

    10/10

    Related Business Capabilities

    • Customer Services
    • Marketing
      • Customer Segmentation
      • Customer Journey Mapping
    • Product Delivery
      • User Experience Design
      • User Acceptance Testing

    Key Business Outcomes, KPIs, and Targets

    • Improved Customer Satisfaction
      • Net Promotor Score: 80%
    • Improved Loyalty
      • Repeat Sales: 30%
      • Customer Retention: 25%
      • Customer Lifetime Value: $2,500
    • Improved Interaction
      • Repeat Visits: 50%
      • Account Conversation Rates: 40%

    Weigh your value drivers

    1.3 Estimated Time: 30 minutes

    The objective of this exercise is to prioritize your value drivers based on their relative importance to the business.

    1. Again, place the business value authorities at the center of this exercise.
    2. In order to determine priority, divide 100% among your value drivers, allocating a percentage to each based on its relative importance to the organization.
    3. Normalize those percentages on to a scale of 1 to 10, which will act as the weights for your value drivers.

    INPUT

    • Mission, vision, value statements

    OUTPUT

    • Weights for value drivers

    Materials

    • Whiteboard
    • Markers

    Participants

    • Business value authorities
    • Owner of value measurement framework

    Weigh your value drivers

    1.3 Estimated Time: 30 minutes

    Value Driver

    Percentage Allocation

    1 to 10 Weight

    Revenue and other funding

    24%

    9

    Cost reduction

    8%

    3

    Compliance

    5%

    2

    Customer value

    30%

    10

    Operations

    13%

    7

    Innovation

    5%

    2

    Sustainability and social responsibility

    2%

    1

    Internal learning and development

    3%

    1

    Future growth

    10%

    5

    Total

    100%

    Carry results over to the Value Calculator

    1.3

    Document results of this activity in the “Value Drivers” tab of the Value Calculator.

    A screenshot of Info-Tech's Value Calculator is shown.

    List your value drivers.

    Define or describe your value drivers.

    Use this tool to create a repository for value sources to reuse and maintain consistency across your measurements.

    Enter the weight of each value driver in terms of importance to the organization.

    Phase 2

    Measure Value

    Step 2.1: Identify Product or Service SMEs

    Phase 1

    1.1: Identify Value Authorities

    1.2: Define Value Drivers

    Phase 2

    2.1: Identify Product or Service SMEs

    2.2: Measure Value

    This step will walk you through the following activities:

    • Identify your product or service SMEs.
    • List your product or services items and components.

    This step involves the following participants:

    • Owners of your value measurement framework
    • Product or service SMEs

    Outcomes of this step

    • Your list of targeted individuals to include in Step 2.2

    Identify the products and services you are evaluating and break down their various components for the VMF

    In order to get a full evaluation of a product or service you need to understand its multiple facets, functions, features capabilities, requirements, or any language you use to describe its various components.

    An image of the value measure framework is shown.

    Decompose a product or service:

    • Get the right subject matter experts in place who know the business and technical aspects of the product or service.
    • Decompose the product or service to capture all necessary components.

    Before beginning, consider how your use case will impact your value measurement approach

    This table looks at how the different use cases of the VMF call for variations of this analysis, is directed at different roles, and relies on participation from different subject matter experts to provide business context.

    Use Case (uses of the VMF applied in this blueprint)

    Value (current vs. future value)

    Item (the singular entity you are producing a value score for)

    Components (the various facets of that entity that need to be considered)

    Scope (# of systems undergoing analysis)

    Evaluator (typical role responsible for applying the VMF)

    Cadence (when and why do you apply the VMF)

    Information Sources (what documents, tools, etc., do you need to leverage)

    SMEs (who needs to participate to define and measure value)

    1. Prioritize Your Product Backlog

    You are estimating future value of proposed changes to an application.

    Product backlog items (epic, feature, etc.) in your product backlog

    • Features
    • User stories
    • Enablers

    A product

    Product owner

    Continuously apply the VMF to prioritize new and changing product backlog items.

    • Epic hypothesis, documentation
    • Lean business case

    Product manager

    ????

    2. Prioritize Your Project Backlog

    Proposed projects in your project backlog

    • Benefits
    • Outcomes
    • Requirements

    Multiple existing and/or new applications

    Project portfolio manager

    Apply the VMF during your project intake process as new projects are proposed.

    • Completed project request forms
    • Completed business case forms
    • Project charters
    • Business requirements documents

    Project manager

    Product owners

    Business analysts

    3. Application Rationalization

    You are measuring current value of existing applications and their features.

    An application in your portfolio

    The uses of the application (features, function, capabilities)

    A subset of applications or the full portfolio

    Application portfolio manager

    During an application rationalization initiative:

    • Iteratively collect information and perform value measurements.
    • Structure your iterations based on functional areas to target the specific SMEs who can speak to a particular subset of applications.
    • Business capability maps

    Business process owners

    Business unit representatives

    Business architects

    Application architects

    Application SMEs

    4. Application Categorization

    The full portfolio

    Application maintenance or operations manager

    • SLAs
    • Business capability maps

    Identify your product or service SMEs

    2.1 Estimated Time: 15 minutes

    The objective of this exercise is to identify specific business stakeholders who can speak to the business outcomes of your applications at a functional level.

    1. Review your related materials that reference the stakeholders for the scoped products and services (i.e. capability maps, org charts, stakeholder maps).
    2. Identify your specific business stakeholders and application SMEs. These individuals represent the business at a functional level and are in tune with the business outcomes of their operations and the applications that support their operations.
      1. Use Case 1 – Product Owner, Product Manager
      2. Use Case 2 – Project Portfolio Manager, Project Manager, Product Owners, Business Process Owners, Appropriate Business Unit Representatives
      3. Use Case 3 – Application Portfolio Manager, Product Owners, Business Analysts, Application SMEs, Business Process Owners, Appropriate Business Unit Representatives
      4. Use Case 4 – Application Maintenance Manager, Operations Managers, Application Portfolio Manager, Product Owners, Application SMEs, Business Process Owners, Appropriate Business Unit Representatives

    INPUT

    • Specific product or service knowledge

    OUTPUT

    • Targeted individuals to measure specific products or services

    Materials

    • Whiteboard
    • Markers

    Participants

    • Owner of value measurement framework

    Use Case 1: Collect and review all of the product backlog items

    Prioritizing your product backlog (epics, features, etc.) requires a consistent method of measuring the value of your product backlog items (PBIs) to continuously compare their value relative to one another. This should be treated as an ongoing initiative as new items are added and existing items change, but an initial introduction of the VMF will require you to collect and analyze all of the items in your backlog.

    Regardless of producing a value score for an epic, feature, or user story, your focus should be on identifying their various value sources. Review your product’s artifact documentation, toolsets, or other information sources to extract the business outcomes, impact, benefits, KPIs, or any other description of a value source.

    High

    Epics

    Carefully valuated with input from multiple stakeholders, using metrics and consistent scoring

    Level of valuation effort per PBI

    User Stories

    Collaboratively valuated by the product owner and teams based on alignment and traceability to corresponding epic or feature

    Low

    Raw Ideas

    Intuitively valuated by the product owner based on alignment to product vision and organization value drivers

    What’s in your backlog?

    You may need to create standards for defining and measuring your different PBIs. Traceability can be critical here, as defined business outcomes for features or user stories may be documented at an epic level.

    Additional Research

    Build a Better Backlog helps you define and organize your product backlog items.

    Use Case 2: Review the scope and requirements of the project to determine all of the business outcomes

    Depending on where your project is in your intake process, there should be some degree of stated business outcomes or benefits. This may be a less refined description in the form of a project request or business case document, or it could be more defined in a project charter, business requirements document/toolset, or work breakdown structure (WBS). Regardless of the information source, to make proper use of the VMF you need a clear understanding of the various business outcomes to establish the new or improved value sources for the proposed project.

    Project

    User Requirements

    Business Requirements

    System Requirements

    1

    1

    1

    2

    2

    2

    3

    3

    4

    Set Metrics Early

    Good project intake documentation begins the discussion of KPIs early on. This alerts teams to the intended value and gives your PMO the ability to integrate it into the workload of other proposed or approved projects.

    Additional Research

    Optimize Project Intake, Approval, and Prioritization provides templates to define proposed project benefits and outcomes.

    Use Cases 3 & 4: Ensure you’ve listed all of each application’s uses (functions, features, capabilities, etc.) and user groups

    An application can enable multiple capabilities, perform a variety of functions, and have a range of different user groups. Therefore, a single application can produce multiple value sources, which range in type, impact, and significance to the business’ overarching priorities. In order to effectively measure the overall value of an application you need to determine all of the ways in which that application is used and apply a business-downward view of your applications.

    Business Capability

    • Sub-capability
    • Process
    • Task

    Application

    • Module
    • Feature
    • Function

    Aim for Business Use

    Simply listing the business capabilities of an app can be too high level. Regardless of your organization’s terminology, you need to establish all of the different uses and users of an application to properly measure all of the facets of its value.

    Additional Research

    Discover Your Applications helps you identify and define the business use and features of your applications.

    List your product or services items and components

    2.2 Estimated Time: 15 minutes

    The objective of this exercise is to produce a list of the different items that you are scoring and ensure you have considered all relevant components.

    1. List each item you intend to produce a value score for:
      1. Use Case 1 – This may be the epics in your product backlog.
      2. Use Case 2 – This may be the projects in your project backlog.
      3. Use Cases 3 & 4 – This may be the applications in your portfolio. For this approach Info-Tech strongly recommends iteratively assessing the portfolio to produce a list of a subset of applications.
    2. For each item list its various components:
      1. Use Case 1 – This may be the features or user stories of an epic.
      2. Use Case 2 – This may be the business requirements of a project.
      3. Use Cases 3 & 4 – This may be the modules, features, functions, capabilities, or subsystems of an application.

    Item

    Components

    Add Customer Portal (Epic)

    User story #1: As a sales team member I need to process customer info.

    User story #2: As a customer I want access to…

    Transition to the Cloud (Project)

    Requirement #1: Build Checkout Cart

    NFR – Build integration with data store

    CRM (Application)

    Order Processing (module), Returns & Claims (module), Analytics & Reporting (Feature)

    INPUT

    • Product or service knowledge

    OUTPUT

    • Detailed list of items and components

    Materials

    • Whiteboard
    • Markers

    Participants

    • Owner of value measurement framework
    • Product or service SMEs

    Use Cases 3 & 4: Create a functional view of your applications (optional)

    2.3 Estimated Time: 1 hour

    The objective of this exercise is to establish the different use cases of an application.

    1. Recall the functional requirements and business capabilities for your applications.
    2. List the various actors who will be interacting with your applications and list the consumers who will be receiving the information from the applications.
    3. Based on your functional requirements, list the use cases that the actors will perform to deliver the necessary information to consumers. Each use case serves as a core function of the application. See the diagram below for an example.
    4. Sometimes several use cases are completed before information is sent to consumers. Use arrows to demonstrate the flow of information from one use case to another.

    Example: Ordering Products Online

    Actors

    Order Customer

    Order Online

    Search Products

    Consumers

    Submit Delivery Information

    Order Customer

    Pay Order

    Bank

    INPUT

    • Product or service knowledge

    OUTPUT

    • Product or service function

    Materials

    • Whiteboard
    • Markers

    Participants

    • Application architect
    • Enterprise architect
    • Business and IT stakeholders
    • Business analyst
    • Development teams

    Use Cases 3 & 4: Create a functional view of your applications (optional) (cont’d.)

    2.3 Estimated Time: 1 hour

    5. Align your application’s use cases to the appropriate business capabilities and stakeholder objectives.

    Example:

    Stakeholder Objective: Automate Client Creation Processes

    Business Capability: Account Management

    Function: Create Client Profile

    Function: Search Client Profiles

    Business Capability: Sales Transaction Management

    Function: Order Online

    Function: Search Products Function: Search Products

    Function: Submit Delivery Information

    Function: Pay Order

    Step 2.2: Measure Value

    Phase 1

    1.1: Identify Value Authorities

    1.2: Define Value Drivers

    Phase 2

    2.1: Identify Product or Service SMEs

    2.2: Measure Value

    This step will walk you through the following activities:

    • Identify your value sources.
    • Align to a value driver.
    • Assign metrics and gauge value fulfillment.

    This step involves the following participants:

    • Owners of your value measurement framework
    • Product or service SMEs

    Outcomes of this step

    • An initial list of reusable value sources and metrics
    • Value scores for your products or services

    Use your VMF and a repeatable process to produce value scores for all of your items

    With your products or services broken down, you can then determine a list of value sources, as well as their alignment to a value driver and a gauge of their value fulfillment, which in turn indicate the importance and impact of a value source respectively.

    A image of the value measure framework is shown.

    Lastly, we produce a value score for all items:

    • Determine business outcomes and value sources.
    • Align to the appropriate value driver.
    • Use metrics as the gauge of value fulfillment.
    • Collect your score.
    • Repeat.

    The business outcome is the impact the product or service has on the intended business activity

    Business outcomes are the business-oriented results produced by organization’s capabilities and the applications that support those capabilities. The value source is, in essence, “How does the application impact the outcome?” and this can be either qualitative or quantitative.

    Quantitative

    Qualitative

    Key Words

    Examples

    Key Words

    Examples

    Faster, cheaper

    Deliver faster

    Better

    Better user experience

    More, less

    More registrations per week

    Private

    Enhanced privacy

    Increase, decrease

    Decrease clerical errors

    Easier

    Easier to input data

    Can, cannot

    Can access their own records

    Improved

    Improved screen flow

    Do not have to

    Do not have to print form

    Enjoyable

    Enjoyable user experience

    Compliant

    Complies with regulation 12

    Transparent

    Transparent progress

    Consistent

    Standardized information gathered

    Richer

    Richer data availability

    Adapted from Agile Coach Journal.

    Measure value – Identify your value sources

    2.4 Estimated Time: 30 minutes

    The objective of this exercise is to establish the different value sources of a product or service.

    1. List the items you are producing an overall balance value score for. These can be products, services, projects, applications, product backlog items, epics, etc.
    2. For each item, list its various business outcomes in the form of a description that includes:
      1. The item being measured
      2. Business capability or activity
      3. How the item impacts said capability or activity

    Consider applying the user story format for future value sources or a variation for current value sources.

    As a (user), I want to (activity) so that I get (impact)

    INPUT

    • Product or service knowledge
    • Business process knowledge

    OUTPUT

    • List of value sources

    Materials

    • Whiteboard
    • Markers

    Participants

    • Owner of value measurement framework
    • Product or service SMEs

    Measure value – Align to a value driver

    2.5 Estimated Time: 30 minutes

    The objective of this exercise is to determine the value driver for each value source.

    1. Align each value source to a value driver. Choose between options A and B.
      1. Using a whiteboard, draw out a 2 x 2 business value matrix or an adapted version based on your own organizational value drivers. Place each value source in the appropriate quadrant.
        1. Increase Revenue
        2. Reduce Costs
        3. Enhance Services
        4. Reach Customers
      2. Using a whiteboard or large sticky pads, create a section for each value driver. Place each value source with the appropriate value driver.

    INPUT

    • Product or service knowledge
    • Business process knowledge

    OUTPUT

    • Value driver weight

    Materials

    • Whiteboard
    • Markers

    Participants

    • Owner of value measurement framework
    • Product or service SMEs

    Brainstorm the different sources of business value (cont’d.)

    2.5

    Example:

    An example of activity 2.5 is shown.

    Carry results over to the Value Calculator

    2.5

    Document results of this activity in the Value Calculator in the Item {#} tab.

    A screenshot of the Value Calculator is shown.

    List your Value Sources

    Your Value Driver weights will auto-populate

    Aim, but do not reach, for SMART metrics

    Creating meaningful metrics

    S pecific

    M easureable

    A chievable

    R ealisitic

    T ime-based

    Follow the SMART framework when adding metrics to the VMF.

    The intention of SMART goals and metrics is to make sure you have chosen a gauge that will:

    • Reflect the actual business outcome or value source you are measuring.
    • Ensure all relevant stakeholders understand the goals or value you are driving towards.
    • Ensure you actually have the means to capture the performance.

    Info-Tech Insight

    Metrics are NOT a magical solution. They should be treated as a tool in your toolbox and are sometimes no more than a rough gauge of performance. Carefully assign metrics to your products and services and do not disregard the informed subjective perspective when SMART metrics are unavailable.

    Info-Tech Best Practice

    One last critical consideration here is the degree of effort required to collect the metric compared to the value of the analysis you are performing. Assessing whether or not to invest in a project should apply the rigor of carefully selecting and measuring value. However, performing a rationalization of the full app portfolio will likely lead to analysis paralysis. Taking an informed subjective perspective may be the better route.

    Measure value – Assign metrics and gauge value fulfillment

    2.6 30-60 minutes

    The objective of this exercise is to determine an appropriate metric for each value source.

    1. For each value source assign a metric that will be the unit of measurement to gauge the value fulfilment of the application.
    2. Review the product or services performance with the metric
      1. Use case 1&2 (Proposed Applications and/or Features) - You will need to estimate the degree of impact the product or services will have on your selected metric.
      2. Use case 3&4 (Existing Applications and/or Features) – You can review historically how the product or service has performed with your selected metric
    3. Determine a value fulfillment on a scale of 1 – 10.
    4. 10 = The product or service far exceeds expectations and targets on the metric.

      5 = the product or service meets expectations on this metric.

      1 = the product or service underperforms on this metric.

    INPUT

    • Product or service knowledge
    • Business process knowledge

    OUTPUT

    • Value driver weight

    Materials

    • Whiteboard
    • Markers

    Participants

    • Owner of value measurement framework
    • Product or service SMEs

    Carry results over to the Value Calculator

    2.6

    Document results of this activity in the Value Calculator in the Item {#} tab.

    A screenshot of Info-Tech's Value Calculator is shown.

    Assign Metrics.

    Consider using current or estimated performance and targets.

    Assess the impact on the value source with the value fulfillment.

    Collect your Overall Balanced Value Score

    Appendix

    Bibliography

    Brown, Alex. “Calculating Business Value.” Agile 2014 Orlando – July 13, 2014. Scrum Inc. 2014. Web. 20 Nov. 2017.

    Brown, Roger. “Defining Business Value.” Scrum Gathering San Diego 2017. Agile Coach Journal. Web.

    Curtis, Bill. “The Business Value of Application Internal Quality.” CAST. 6 April 2009. Web. 20 Nov. 2017.

    Fleet, Neville, Joan Lasselle, and Paul Zimmerman. “Using a Balance Scorecard to Measure the Productivity and Value of Technical Documentation Organizations.” CIDM. April 2008. Web. 20 Nov. 2017.

    Harris, Michael. “Measuring the Business Value of IT.” David Consulting Group. 20 Nov. 2017.

    Intrafocus. “What is a Balanced Scorecard?” Intrafocus. Web. 20 Nov. 2017

    Kerzner, Harold. Project Management: A Systems Approach to Planning, Scheduling, and Controlling. 12th ed., Wiley, 2017.

    Lankhorst, Marc., et al. “Architecture-Based IT Valuation.” Via Nova Architectura. 31 March 2010. Web. 20 Nov. 2017.

    Rachlin, Sue, and John Marshall. “Value Measuring Methodology.” Federal CIO Council, Best Practices Committee. October 2002. Web. April 2019.

    Thiagarajan, Srinivasan. “Bridging the Gap: Enabling IT to Deliver Better Business Outcomes.” Cognizant. July 2017. Web. April 2019.

    Enhance PPM Dashboards and Reports

    • Buy Link or Shortcode: {j2store}438|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $18,849 Average $ Saved
    • member rating average days saved: 66 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • Your organization has introduced project portfolio management (PPM) processes that require new levels of visibility into the project portfolio that were not required before.
    • Key PPM decision makers are requesting new or improved dashboards and reports to help support making difficult decisions.
    • Often PPM dashboards and reports provide too much information and are difficult to navigate, resulting in information overload and end-user disengagement.
    • PPM dashboards and reports are laborious to maintain; ineffective dashboards end up wasting scarce resources, delay decisions, and negatively impact the perceived value of the PMO.

    Our Advice

    Critical Insight

    • Well-designed dashboards and reports help actively engage stakeholders in effective management of the project portfolio by communicating information and providing support to key PPM decision makers. This tends to improve PPM performance, making resource investments into reporting worthwhile.
    • Observations and insights gleaned from behavioral studies and cognitive sciences (largely ignored in PPM literature) can help PMOs design dashboards and reports that avoid information overload and that provide targeted decision support to key PPM decision makers.

    Impact and Result

    • Enhance your PPM dashboards and reports by carrying out a carefully designed enhancement project. Start by clarifying the purpose of PPM dashboards and reports. Establish a focused understanding of PPM decision-support needs, and design dashboards and reports to address these in a targeted way.
    • Conduct a thorough review of all existing dashboards and reports, evaluating the need, effort, usage, and satisfaction of each report to eliminate any unnecessary or ineffective dashboards and design improved dashboards and reports that will address these gaps.
    • Design effective and targeted dashboards and reports to improve the engagement of senior leaders in PPM and help improve PPM performance.

    Enhance PPM Dashboards and Reports Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should enhance your PPM reports and dashboards, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish a PPM dashboard and reporting enhancement project plan

    Identify gaps, establish a list of dashboards and reports to enhance, and set out a roadmap for your dashboard and reporting enhancement project.

    • Enhance PPM Dashboards and Reports – Phase 1: Establish a PPM Dashboard and Reporting Enhancement Project Plan
    • PPM Decision Support Review Workbook
    • PPM Dashboard and Reporting Audit Workbook
    • PPM Dashboard and Reporting Audit Worksheets – Exisiting
    • PPM Dashboard and Reporting Audit Worksheets – Proposed
    • PPM Metrics Menu
    • PPM Dashboard and Report Enhancement Project Charter Template

    2. Design and build enhanced PPM dashboards and reporting

    Gain an understanding of how to design effective dashboards and reports.

    • Enhance PPM Dashboards and Reports – Phase 2: Design and Build New or Improved PPM Dashboards and Reporting
    • PPM Dashboard and Report Requirements Workbook
    • PPM Executive Dashboard Template
    • PPM Dashboard and Report Visuals Template
    • PPM Capacity Dashboard Operating Manual

    3. Implement and maintain effective PPM dashboards and reporting

    Officially close and evaluate the PPM dashboard and reporting enhancement project and transition to an ongoing and sustainable PPM dashboard and reporting program.

    • Enhance PPM Dashboards and Reports – Phase 3: Implement and Maintain Effective PPM Dashboards and Reporting
    • PPM Dashboard and Reporting Program Manual
    [infographic]

    Workshop: Enhance PPM Dashboards and Reports

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish a PPM Dashboard and Reporting Enhancement

    The Purpose

    PPM dashboards and reports will only be effective and valuable if they are designed to meet your organization’s specific needs and priorities.

    Conduct a decision-support review and a thorough dashboard and report audit to identify the gaps your project will address.

    Take advantage of the planning stage to secure sponsor and stakeholder buy-in.

    Key Benefits Achieved

    Current-state assessment of satisfaction with PPM decision-making support.

    Current-state assessment of all existing dashboards and reports: effort, usage, and satisfaction.

    A shortlist of dashboards and reports to improve that is informed by actual needs and priorities.

    A shortlist of dashboards and reports to create that is informed by actual needs and priorities.

    The foundation for a purposeful and focused PPM dashboard and reporting program that is sustainable in the long term.

    Activities

    1.1 Engage in PPM decision-making review.

    1.2 Perform a PPM dashboard and reporting audit and gap analysis.

    1.3 Identify dashboards and/or reports needed.

    1.4 Plan the PPM dashboard and reporting project.

    Outputs

    PPM Decision-Making Review

    PPM Dashboard and Reporting Audit

    Prioritized list of dashboards and reports to be improved and created

    Roadmap for the PPM dashboard and reporting project

    2 Design New or Improved PPM Dashboards and Reporting

    The Purpose

    Once the purpose of each PPM dashboard and report has been identified (based on needs and priorities) it is important to establish what exactly will be required to produce the desired outputs.

    Gathering stakeholder and technical requirements will ensure that the proposed and finalized designs are realistic and sustainable in the long term.

    Key Benefits Achieved

    Dashboard and report designs that are informed by a thorough analysis of stakeholder and technical requirements.

    Dashboard and report designs that are realistically sustainable in the long term.

    Activities

    2.1 Review the best practices and science behind effective dashboards and reporting.

    2.2 Gather stakeholder requirements.

    2.3 Gather technical requirements.

    2.4 Build wireframe options for each dashboard or report.

    2.5 Review options: requirements, feasibility, and usability.

    2.6 Finalize initial designs.

    2.7 Design and record the input, production, and consumption workflows and processes.

    Outputs

    List of stakeholder requirements for dashboards and reports

    Wireframe design options

    Record of the assessment of each wireframe design: requirements, feasibility, and usability

    A set of finalized initial designs for dashboards and reports.

    Process workflows for each initial design

    3 Plan to Roll Out Enhanced PPM Dashboards and Reports

    The Purpose

    Ensure that enhanced dashboards and reports are actually adopted in the long term by carefully planning their roll-out to inputters, producers, and consumers.

    Plan to train all stakeholders, including report consumers, to ensure that the reports generate the decision support and PPM value they were designed to.

    Key Benefits Achieved

    An informed, focused, and scheduled plan for rolling out dashboards and reports and for training the various stakeholders involved.

    Activities

    3.1 Plan for external resourcing (if necessary): vendors, consultants, contractors, etc.

    3.2 Conduct impact analysis: risks and opportunities.

    3.3 Create an implementation and training plan.

    3.4 Determine PPM dashboard and reporting project success metrics.

    Outputs

    External resourcing plan

    Impact analysis and risk mitigation plan

    Record of the PPM dashboard and reporting project success metrics

    Build Resilience Against Ransomware Attacks

    • Buy Link or Shortcode: {j2store}317|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $68,467 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Sophisticated ransomware attacks are on the rise and evolving quickly.
    • Executives want reassurance but are not ready to write a blank check. We need to provide targeted and justified improvements.
    • Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in hours, which makes recovery a grueling challenge.

    Our Advice

    Critical Insight

    • Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
    • Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
    • Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.

    Impact and Result

    • Conduct a thorough assessment of your current state; identify potential gaps and assess the possible outcomes of an attack.
    • Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protections and detection to reduce your attack surface.
    • Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.

    Build Resilience Against Ransomware Attacks Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build Resilience Against Ransomware Attacks

    Use this step-by-step guide to assess your ransomware readiness and implement controls that will improve your ability to prevent incursions and defend against attacks.

    • Build Resilience Against Ransomware Attacks – Phases 1-4

    2. Ransomware Resilience Assessment – Complete the ransomware resilience assessment and establish metrics.

    Use this assessment tool to assess existing protection, detection, response, and recovery capabilities and identify potential improvements.

    • Ransomware Resilience Assessment

    3. Threat Preparedness Workbook – Improve protection and detection capabilities.

    Use this threat preparedness workbook to evaluate the threats and tactics in the ransomware kill chain using the MITRE framework and device appropriate countermeasures.

    • Enterprise Threat Preparedness Workbook

    4. Tabletop Planning Exercise and Example Results – Improve response and recovery capabilities with a tabletop exercise for your internal IT team.

    Adapt this tabletop planning session template to plan and practice the response of your internal IT team to a ransomware scenario.

    • Tabletop Exercise – Internal (Ransomware Template)
    • Ransomware Tabletop Planning Results – Example (Visio)
    • Ransomware Tabletop Planning Results – Example (PDF)

    5. Ransomware Response Runbook and Workflow – Document ransomware response steps and key stakeholders.

    Adapt these workflow and runbook templates to coordinate the actions of different stakeholders through each stage of the ransomware incident response process.

    • Ransomware Response Runbook Template
    • Ransomware Response Workflow Template (Visio)
    • Ransomware Response Workflow Template (PDF)

    6. Extended Tabletop Exercise and Leadership Guide – Run a tabletop test to plan and practice the response of your leadership team.

    Adapt this tabletop planning session template to plan leadership contributions to the ransomware response workflow. This second tabletop planning session will focus on communication strategy, business continuity plan, and deciding whether the organization should pay a ransom.

    • Tabletop Exercise – Extended (Ransomware Template)
    • Leadership Guide for Extended Ransomware

    7. Ransomware Resilience Summary Presentation – Summarize status and next steps in an executive presentation.

    Summarize your current state and present a prioritized project roadmap to improve ransomware resilience over time.

    • Ransomware Resilience Summary Presentation

    Infographic

    Workshop: Build Resilience Against Ransomware Attacks

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Ransomware Resilience

    The Purpose

    Set workshop goals, review ransomware trends and risk scenarios, and assess the organization’s resilience to ransomware attacks.

    Key Benefits Achieved

    Develop a solid understanding of the likelihood and impact of a ransomware attack on your organization.

    Complete a current state assessment of key security controls in a ransomware context.

    Activities

    1.1 Review incidents, challenges, and project drivers.

    1.2 Diagram critical systems and dependencies and build risk scenario.

    1.3 Assess ransomware resilience.

    Outputs

    Workshop goals

    Ransomware Risk Scenario

    Ransomware Resilience Assessment

    2 Protect and Detect

    The Purpose

    Improve your capacity to protect your organization from ransomware and detect attacks along common vectors.

    Key Benefits Achieved

    Identify targeted countermeasures that improve protection and detection capabilities.

    Activities

    2.1 Assess ransomware threat preparedness.

    2.2 Determine the impact of ransomware techniques on your environment.

    2.3 Identify countermeasures to improve protection and detection capabilities.

    Outputs

    Targeted ransomware countermeasures to improve protection and detection capabilities.

    Targeted ransomware countermeasures to improve protection and detection capabilities.

    Targeted ransomware countermeasures to improve protection and detection capabilities.

    3 Respond and Recover

    The Purpose

    · Improve your organization’s capacity to respond to ransomware attacks and recover effectively.

    Key Benefits Achieved

    Build response and recovery capabilities that reduce the potential business disruption of successful ransomware attacks.

    Activities

    3.1 Review the workflow and runbook templates.

    3.2 Update/define your threat escalation protocol.

    3.3 Define scenarios for a range of incidents.

    3.4 Run a tabletop planning exercise (IT).

    3.5 Update your ransomware response runbook.

    Outputs

    Security Incident Response Plan Assessment.

    Tabletop Planning Session (IT)

    Ransomware Workflow and Runbook.

    4 Improve Ransomware Resilience.

    The Purpose

    Identify prioritized initiatives to improve ransomware resilience.

    Key Benefits Achieved

    Identify the role of leadership in ransomware response and recovery.

    Communicate workshop outcomes and recommend initiatives to improve ransomware resilience.

    Activities

    4.1 Run a tabletop planning exercise (Leadership).

    4.2 Identify initiatives to close gaps and improve resilience.

    4.3 Review broader strategies to improve your overall security program.

    4.4 Prioritize initiatives based on factors such as effort, cost, and risk.

    4.5 Review the dashboard to fine tune your roadmap.

    4.6 Summarize status and next steps in an executive presentation.

    Outputs

    Tabletop Planning Session (Leadership)

    Ransomware Resilience Roadmap and Metrics

    Ransomware Workflow and Runbook

    Further reading

    Build Ransomware Resilience

    Prevent ransomware incursions and defend against ransomware attacks

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    Ransomware is a high-profile threat that demands immediate attention:

    • Sophisticated ransomware attacks are on the rise and evolving quickly.
    • Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in only a few hours, which makes recovery a grueling challenge.
    • Executives want reassurance but aren't ready to write a blank check. Improvements must be targeted and justified.

    Common Obstacles

    Ransomware is more complex than other security threats:

    • Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
    • Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
    • Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.

    Info-Tech's Approach

    To prevent a ransomware attack:

    • Conduct a through assessment of your current state, identify potential gaps, and assess the possible outcomes of an attack.
    • Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protection and detection to reduce your attack surface.
    • Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.

    Info-Tech Insight

    Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges. Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, respond effectively, and recovery quickly.

    Analyst Perspective

    Ransomware is an opportunity and a challenge.

    As I write, the frequency and impact of ransomware attacks continue to increase, with no end in sight. Most organizations will experience ransomware in the next 24 months, some more than once, and business leaders know it. You will never have a better chance to implement best practice security controls as you do now.

    The opportunity comes with important challenges. Hackers need to spend less time in discovery before they deploy an attack, which have become much more effective. You can't afford to rely solely on your ability to respond and recover. You need to build a resilient organization that can withstand a ransomware event and recover quickly.

    Resilient organizations are not impervious to attack, but they have tools to protect assets, detect incursions, and respond effectively. Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to overcome challenges and work through problems. But eventually you reach the top and look back at how far you've come.

    This is an image of Michael Hébert

    Michel Hébert
    Research Director, Security and Privacy
    Info-Tech Research Group

    Ransomware attacks are on the rise and evolving quickly.

    Three factors contribute to the threat:

    • The rise of ransomware-as-a-service, which facilitates attacks.
    • The rise of crypto-currency, which facilitates anonymous payment.
    • State sponsorship of cybercrime.

    Elementus maps ransomware payments made through bitcoin. Since 2019, victims made at least $2B in payments.

    A handful of criminal organizations, many of whom operate out of cybercrime hotbeds in Russia, are responsible for most of the damage. The numbers capture only the ransom paid, not the clean-up cost and economic fallout over attacks during this period.

    Total ransom money collected (2015 – 2021): USD 2,592,889,121

    This image contains a bubble plot graph showing the total ransom money collected between the years 2015 - 2021.

    The frequency and impact of ransomware attacks are increasing

    Emerging strains can exfiltrate sensitive data, encrypt systems and destroy backups in only a few hours, which makes recovery a grueling challenge.

    Sophos commissioned a vendor agnostic study of the real-world experience of 5,600 IT professionals in mid-sized organizations across 31 countries and 15 industries.

    The survey was conducted in Jan – Feb 2022 and asked about the experience of respondents over the previous year.

    66%
    Hit by ransomware in 2021
    (up from 37% in 2020)

    90%
    Ransomware attack affected their ability to operate

    $812,360 USD
    Average ransom payment

    $4.54M
    Average remediation cost (not including ransom)

    ONE MONTH
    Average recovery time

    Meanwhile, organizations continue to put their faith in ineffective ransomware defenses.

    Of the respondents whose organizations weren't hit by ransomware in 2021 and don't expect to be hit in the future, 72% cited either backups or cyberinsurance as reasons why they anticipated an attack.

    While these elements can help recover from an attack, they don't prevent it in the first place.

    Source: Sophos, State of Ransomware (2022)
    IBM, Cost of A Data Breach (2022)

    The 3-step ransomware attack playbook

    • Get in
    • Spread
    • Profit

    At each point of the playbook, malicious agents need to achieve something before they can move to the next step.

    Resilient organizations look for opportunities to:

    • Learn from incursions
    • Disrupt the playbook
    • Measure effectiveness

    Initial access

    Execution

    Privilege Escalation

    Credential Access

    Lateral Movement

    Collection

    Data Exfiltration

    Data encryption

    Deliver phishing email designed to avoid spam filter.

    Launch malware undetected.

    Identify user accounts.

    Target an admin account.

    Use brute force tactics to crack it.

    Move through the network and collect data.

    Infect as many critical systems and backups as possible to limit recovery options.

    Exfiltrate data to gain leverage.

    Encrypt data, which triggers alert.

    Deliver ransom note.

    Ransomware is more complex than other security threats

    Ransomware groups thrive through extortion tactics.

    • Traditionally, ransomware attacks focused on encrypting files as an incentive for organizations to pay up.
    • As organizations improved backup and recovery strategies, gangs began targeting, encrypting, and destroying back ups.
    • Since 2019, gangs have focused on a double-extortion strategy: exfiltrate sensitive or protected data before encrypting systems and threaten to publish them.

    Organizations misunderstand ransomware risk scenarios, which obscures the potential impact of an attack.

    Ransom is only a small part of the equation. Four process-related activities drive ransomware recovery costs:

    • Detection and Response – Activities that enable detection, containment, eradication and recovery.
    • Notification – Activities that enable reporting to data subjects, regulators, law enforcement, and third parties.
    • Lost Business – Activities that attempt to minimize the loss of customers, business disruption, and revenue.
    • Post Breach Response – Redress activities to victims and regulators, and the implementation of additional controls.

    Source: IBM, Cost of a Data Breach (2022)

    Disrupt the attack each stage of the attack workflow.

    An effective response with strong, available backups will reduce the operational impact of an attack, but it won't spare you from its reputational and regulatory impact.

    Put controls in place to disrupt each stage of the attack workflow to protect the organization from intrusion, enhance detection, respond quickly, and recover effectively.

    Shortening dwell time requires better protection and detection

    Ransomware dwell times and average encryption rates are improving dramatically.

    Hackers spend less time in your network before they attack, and their attacks are much more effective.

    Avg dwell time
    3-5 Days

    Avg encryption rate
    70 GB/h

    Avg detection time
    11 Days

    What is dwell time and why does it matter?

    Dwell time is the time between when a malicious agent gains access to your environment and when they are detected. In a ransomware attack, most organizations don't detect malicious agents until they deploy ransomware, encrypt their files, and lock them out until they pay the ransom.

    Effective time is a measure of the effectiveness of the encryption algorithm. Encryption rates vary by ransomware family. Lockbit has the fastest encryption rate, clocking in at 628 GB/h.

    Dwell times are dropping, and encryption rates are increasing.

    It's more critical than ever to build ransomware resilience. Most organizations do not detect ransomware incursions in time to prevent serious business disruption.

    References: Bleeping Computers (2022), VentureBeat, Dark Reading, ZDNet.

    Resilience depends in part on response and recovery capabilities

    This blueprint will focus on improving your ransomware resilience to:

    • Protect against ransomware.
    • Detect incursions.
    • Respond and recovery effectively.

    Response

    Recovery

    This image depicts the pathway for response and recovery from a ransomware event.

    For in-depth assistance with disaster recovery planning, refer to Info-Tech's Create a Right-Sized Disaster Recovery.

    Info-Tech's ransomware resilience framework

    Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.

    Prioritize protection

    Put controls in place to harden your environment, train savvy end users, and prevent incursions.

    Support recovery

    Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

    Protect Detect Respond

    Recover

    Threat preparedness

    Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.

    Awareness and training

    Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.

    Perimeter security

    Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.

    Respond and recover

    Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.

    Access management

    Review the user access management program, policies and procedures to ensure they are ransomware-ready.

    Vulnerability management

    Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.

    This image contains the thought map for Info-Tech's Blueprint: Build Resilience Against Ransomware Attacks.

    Info-Tech's ransomware resilience methodology

    Assess resilience Protect and detect Respond and recover Improve resilience
    Phase steps
    1. Build ransomware risk scenario
    2. Conduct resilience assessment
    1. Assess attack vectors
    2. Identify countermeasures
    1. Review Security Incident Management Plan
    2. Run Tabletop Test (IT)
    3. Document Workflow and Runbook
    1. Run Tabletop Test (Leadership)
    2. Prioritize Resilience Initiatives
    Phase outcomes
    • Ransomware Resilience Assessment
    • Risk Scenario
    • Targeted ransomware countermeasures to improve protection and detection capabilities
    • Security Incident Response Plan Assessment
    • Tabletop Test (IT)
    • Ransomware Workflow and Runbook
    • Tabletop Test (Leadership)
    • Ransomware Resilience Roadmap & Metrics

    Insight Summary

    Shift to a ransomware resilience model

    Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges.

    Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, and respond and recover quickly

    Visualize challenges

    Build risk scenarios that describe how a ransomware attack would impact organizational goals.

    Understand possible outcomes to motivate initiatives, protect your organization, plan your response, and practice recovery.

    Prioritize protection

    Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.

    Seize the moment

    The frequency and impact of ransomware attacks continue to increase, and business leaders know it. You will never have a better chance to implement best practice security controls than you do now.

    Measure ransomware resilience

    The anatomy of ransomware attack is relatively simple: malicious agents get in, spread, and profit. Deploy ransomware protection metrics to measure ransomware resilience at each stage.

    Key deliverable

    Ransomware resilience roadmap

    The resilience roadmap captures the key insights your work will generate, including:

    • An assessment of your current state and a list of initiatives you need to improve your ransomware resilience.
    • The lessons learned from building and testing the ransomware response workflow and runbook.
    • The controls you need to implement to measure and improve your ransomware resilience over time.

    Project deliverables

    Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.

    Ransomware Resilience Assessment

    Measure ransomware resilience, identify gaps, and draft initiatives.

    Enterprise Threat Preparedness Workbook

    Analyze common ransomware techniques and develop countermeasures.

    Ransomware Response Workflow & Runbook

    Capture key process steps for ransomware response and recovery.

    Ransomware Tabletop Tests

    Run tabletops for your IT team and your leadership team to gather lessons learned.

    Ransomware Resilience Roadmap

    Capture project insights and measure resilience over time.

    Plan now or pay later

    Organizations worldwide spent on average USD 4.62M in 2021 to rectify a ransomware attack. These costs include escalation, notification, lost business and response costs, but did not include the cost of the ransom. Malicious ransomware attacks that destroyed data in destructive wiper-style attacks cost an average of USD 4.69M.

    Building better now is less expensive than incurring the same costs in addition to the clean-up and regulatory and business disruption costs associated with successful ransomware attacks.

    After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research and advisory services helped them achieve.

    Source: IBM, Cost of a Data Breach (2022)

    See what members have to say about the ransomware resilience blueprint:

    • Overall Impact: 9.8 / 10
    • Average $ Saved: $98,796
    • Average Days Saved: 17

    "Our advisor was well-versed and very polished. While the blueprint alone was a good tool to give us direction, his guidance made it significantly faster and easier to accomplish than if we had tried to tackle it on our own."

    CIO, Global Manufacturing Organization

    Blueprint benefits

    IT benefits

    Business benefits

    • Provide a structured approach for your organization to identify gaps, quantify the risk, and communicate status to drive executive buy-in.
    • Create a practical ransomware incident response plan that combines a high-level workflow with a detailed runbook to coordinate response and recovery.
    • Present an executive-friendly project roadmap with resilience metrics that summarizes your plan to address gaps and improve your security posture.
    • Enable leadership to make risk-based, informed decisions on resourcing and investments to improve ransomware readiness.
    • Quantify the potential impact of a ransomware attack on your organization to drive risk awareness.
    • Identify existing gaps so they can be addressed, whether by policy, response plans, technology, or a combination of these.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Executive brief case study

    SOURCE: Interview with CIO of large enterprise

    Organizations who "build back better" after a ransomware attack often wish they had used relevant controls sooner.

    Challenge

    In February 2020, a large organization found a ransomware note on an admin's workstation. They had downloaded a local copy of the organization's identity management database for testing and left a port open on their workstation. Hackers exfiltrated it and encrypted the data on the workstation. They demanded a ransom payment to decrypt the data.

    Complication

    Because private information was breached, the organization informed the state-level regulator. With 250,000 accounts affected, plans were made to require password changes en masse. A public announcement was made two days after the breach to ensure that everyone affected could be reached.

    The organization decided not to pay the ransom because it had a copy on an unaffected server.

    Resolution

    The organization was praised for its timely and transparent response.

    The breach motivated the organization to put more protections in place, including:

    • The implementation of a deny-by-default network.
    • The elimination of remote desktop protocol and secure shell.
    • IT mandating MFA.
    • New endpoint-detection and response systems.

    Executive brief case study

    SOURCE: Info-Tech Workshop Results
    iNDUSTRY: Government

    Regional government runs an Info-Tech workshop to fast-track its ransomware incident response planning

    The organization was in the middle of developing its security program, rolling out security awareness training for end users, and investing in security solutions to protect the environment and detect incursions. Still, the staff knew they still had holes to fill. They had not yet fully configured and deployed security solutions, key security policies were missing, and they had didn't have a documented ransomware incident response plan.

    Workshop results

    Info-Tech advisors helped the organization conduct a systematic review of existing processes, policies, and technology, with an eye to identify key gaps in the organization's ransomware readiness. The impact analysis quantified the potential impact of a ransomware attack on critical systems to improve the organizational awareness ransomware risks and improve buy-in for investment in the security program.

    Info-Tech's tabletop planning exercise provided a foundation for the organization's actual response plan. The organization used the results to build a ransomware response workflow and the framework for a more detailed runbook. The workshop also helped staff identifies ways to improve the backup strategy and bridge further gaps in their ability to recover.

    The net result was a current-state response plan, appropriate capability targets aligned with business requirements, and a project roadmap to achieve the organization's desired state of ransomware readiness.

    Guided implementation

    What kind of analyst experiences do clients have when working through this blueprint?

    Scoping Call Phase 1 Phase 2 Phase 3 Phase 4

    Call #1:

    Discuss context, identify challenges, and scope project requirements.

    Identify ransomware resilience metrics.

    Call #2:

    Build ransomware risk scenario.

    Call #4:

    Review common ransomware attack vectors.

    Identify and assess mitigation controls.

    Call #5:

    Document ransomware workflow and runbook.

    Call #7:

    Run tabletop test with leadership.

    Call #3:

    Assess ransomware resilience.

    Call #6:

    Run tabletop test with IT.

    Call #8:

    Build ransomware roadmap.

    Measure ransomware resilience metrics.

    A guided implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 8 calls over the course of 4 to 6 months.

    Workshop overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Activities

    Assess ransomware resilience

    Protect and detect

    Respond and recover

    Improve ransomware resilience

    Wrap-up (offsite and offline)

    1.1 1 Review incidents, challenges, and project drivers.

    1.1.2 Diagram critical systems and dependencies.

    1.1.3 Build ransomware risk scenario.

    2.1 1. Assess ransomware threat preparedness.

    2.2 2. Determine the impact of ransomware techniques on your environment.

    2.3 3. Identify countermeasures to improve protection and detection capabilities.

    3.1.1 Review the workflow and runbook templates.

    3.1.2 Update/define your threat escalation protocol.

    3.2.1 Define scenarios for a range of incidents.

    3.2.2 Run a tabletop planning exercise (IT).

    3.3.1 Update your ransomware response workflow.

    4.1.1 Run a tabletop planning exercise (leadership).

    4.1.2 Identify initiatives to close gaps and improve resilience.

    4.1.3 Review broader strategies to improve your overall security program.

    4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk.

    4.2.2 Review the dashboard to fine tune your roadmap.

    4.3.1 Summarize status and next steps in an executive presentation.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    5.3 Revisit ransomware resilience metrics in three months.

    Deliverables
    1. Workshop goals
    2. Ransomware Risk Scenario
    3. Ransomware Resilience Assessment
    1. Targeted ransomware countermeasures to improve protection and detection capabilities.
    1. Security Incident Response Plan Assessment
    2. Tabletop Planning Session (IT)
    3. Ransomware Workflow and Runbook
    1. Tabletop Planning Session (Leadership)
    2. Ransomware Resilience Roadmap and Metrics
    3. Ransomware Summary Presentation
    1. Completed Ransomware Resilience Roadmap
    2. Ransomware Resilience Assessment
    3. Ransomware Resilience Summary Presentation

    Phase 1

    Assess ransomware resilience

    Phase 1 Phase 2 Phase 3 Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will walk you through the following activities:

    • Conducting a maturity assessment.
    • Reviewing selected systems and dependencies.
    • Assessing a ransomware risk scenario.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Build Ransomware Resilience

    Step 1.1

    Build ransomware risk scenario

    Activities

    1.1.1 Review incidents, challenges and project drivers

    1.1.2 Diagram critical systems and dependencies

    1.1.3 Build ransomware risk scenario

    Assess ransomware resilience

    This step will guide you through the following activities:

    • Reviewing incidents, challenges, and drivers.
    • Diagraming critical systems and dependencies.
    • Building a ransomware risk scenario.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • Subject-Matter Experts

    Outcomes of this step

    • Establish a repeatable process to evaluate and improve ransomware readiness across your environment.
    • Build a ransomware risk scenario to assess the likelihood and impact of an attack.

    1.1.1 Review incidents, challenges, and project drivers

    1 hour

    Brainstorm the challenges you need to address in the project. Avoid producing solutions at this stage, but certainly record suggestions for later. Use the categories below to get the brainstorming session started.

    Past incidents and other drivers

    • Past incidents (be specific):
      • Past security incidents (ransomware and other)
      • Close calls (e.g. partial breach detected before damage done)
    • Audit findings
    • Events in the news
    • Other?

    Security challenges

    • Absent or weak policies
    • Lack of security awareness
    • Budget limitations
    • Other?

    Input

    • Understanding of existing security capability and past incidents.

    Output

    • Documentation of past incidents and challenges.
    • Level-setting across the team regarding challenges and drivers.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    1.1.2 Diagram critical systems and dependencies (1)

    1 hour

    Brainstorm critical systems and their dependencies to build a ransomware risk scenario. The scenario will help you socialize ransomware risks with key stakeholders and discuss the importance of ransomware resilience.

    Focus on a few key critical systems.

    1. On a whiteboard or flip chart paper, make a list of systems to potentially include in scope. Consider:
      1. Key applications that support critical business operations.
      2. Databases that support multiple key applications.
      3. Systems that hold sensitive data (e.g. data with personally identifiable information [PII]).
    2. Select five to ten systems from the list.
      1. Select systems that support different business operations to provide a broader sampling of potential impacts and recovery challenges.
      2. Include one or two non-critical systems to show how the methodology addresses a range of criticality and context.

    Input

    • High-level understanding of critical business operations and data sets.

    Output

    • Clarify context, dependencies, and security and recovery challenges for some critical systems.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)
    • System SMEs (if not covered by SIRT members)

    1.1.2 Diagram critical systems and dependencies (2)

    1 hour

    1. A high-level topology or architectural diagram is an effective way to identify dependencies and communicate risks to stakeholders.

    Start with a WAN diagram, then your production data center, and then each critical
    system. Use the next three slides as your guide.

    Notes:

    • If you have existing diagrams, you can review those instead. However, if they are too detailed, draw a higher-level diagram to provide context. Even a rough sketch is a useful reference tool for participants.
    • Keep the drawings tidy and high level. Visualize the final diagram before you start to draw on the whiteboard to help with spacing and placement.
    • Collaborate with relevant SMEs to identify dependencies.

    Input

    • High-level understanding of critical business operations and data sets.

    Output

    • Clarify context, dependencies, and security and recovery challenges for some critical systems.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)
    • System SMEs (if not covered by SIRT members)

    For your WAN diagram, focus on data center and business locations

    Start with a high-level network diagram like this one, and then dig deeper (see following slides) to provide more context. Below is an example; of course, your sketched diagrams may be rougher.

    This image contains a nexample of a High level Network Diagram.

    Diagram your production data center to provide context for the systems in scope

    Creating a high-level diagram provides context across different IT disciplines involved in creating your DRP. If you have multiple production data centers, focus on the data center(s) relevant to the selected systems. Below is an example.

    This image contains a nexample of a high level diagram which focuses on the data centers relevent to the selected system.

    Diagram each selected system to identify specific dependencies and redundancies

    Diagram the "ecosystem" for each system, identifying server, storage, and network dependencies. There may be overlap with the production data center diagram – but aim to be specific here. Below is an example that illustrates front-end and back-end components.

    When you get to this level of detail, use this opportunity to level-set with the team. Consider the following:

    • Existing security (Are these systems protected by your existing security monitoring and threat detection tools?).
    • Security challenges (e.g. public-facing systems).
    • Recovery challenges (e.g. limited or infrequent backups).
    This is an example of a diagram of a system ecosystem.

    Note the limitations of your security, backup, and DR solutions

    Use the diagrams to assess limitations. Gaps you identify here will often apply to other aspects of your environment.

    1. Security limitations
    • Are there any known security vulnerabilities or risks, such as external access (e.g. for a customer portal)? If so, are those risks mitigated? Are existing security solutions being fully used?
  • Backup limitations
    • What steps are taken to ensure the integrity of your backups (e.g. through inline or post-backup scanning, or the use of immutable backups)? Are there multiple restore points to provide more granularity when determining how far back you need to go for a clean backup?
  • Disaster recovery limitations
    • Does your DR solution account for ransomware attacks or is it designed only for one-way failover (i.e. for a smoking hole scenario)?
  • We will review the gaps we identify through the project in phase 4.

    For now, make a note of these gaps and continue with the next step.

    Draft risk scenarios to illustrate ransomware risk

    Risk scenarios help decision-makers understand how adverse events affect business goals.

    • Risk-scenario building is the process of identifying the critical factors that contribute to an adverse event and crafting a narrative that describes the circumstances and consequences if it were to happen.
    • Risk scenarios set up the risk analysis stage of the risk assessment process. They are narratives that describe in detail:
      • The asset at risk.
      • The threat that can act against the asset.
      • Their intent or motivation.
      • The circumstances and threat actor model associated with the threat event.
      • The potential effect on the organization.
      • When or how often the event might occur.

    Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.

    Risk identification → Risk scenario → Risk statement

    Well-crafted risk scenarios have four components

    The slides walk through how to build a ransomware risk scenario

    THREAT Exploits an ASSET Using a METHOD Creating an EFFECT.

    An actor capable of harming an asset

    Anything of value that can be affected and results in loss

    Technique an actor uses to affect an asset

    How loss materializes

    Examples: Malicious or untrained employees, cybercriminal groups, malicious state actors

    Examples: Systems, regulated data, intellectual property, people

    Examples: Credential compromise, privilege escalation, data exfiltration

    Examples: Loss of data confidentiality, integrity, or availability; impact on staff health and safety

    Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events.

    Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address ransomware risks.

    1.1.3 Build ransomware risk scenario (1)

    2 hours

    In a ransomware risk scenario, the threat, their motivations, and their methods are known. Malicious agents are motivated to compromise critical systems, sabotage recovery, and exfiltrate data for financial gain.

    The purpose of building the risk scenario is to highlight the assets at risk and the potential effect of a ransomware attack.

    As a group, consider critical or mission-essential systems identified in step 1.1.2. On a whiteboard, brainstorm the potential adverse effect of a loss of system availability, confidentiality or integrity.

    Consider the impact on:

    • Information systems.
    • Sensitive or regulated data.
    • Staff health and safety.
    • Critical operations and objectives.
    • Organizational finances.
    • Reputation and brand loyalty.

    Input

    • Understanding of critical systems and dependencies.

    Output

    • Ransomware risk scenario to engage guide stakeholders to make informed decisions about addressing risks.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    1.1.3 Build ransomware risk scenario (2)

    2 hours

    1. On a whiteboard, brainstorm how threat agents will exploit vulnerabilities in critical assets to reach their goal. Redefine attack vectors to capture what could result from a successful initial attack.
    2. Bring together the critical risk elements into a single risk scenario.
    3. Distill the risk scenario into a single risk statement that captures the threat, the asset it will exploit, the method it will use, and the impact it will have on the organization.
    4. You can find a sample risk scenario and risk statement on the next slide.

    THREAT Exploits an ASSET Using a METHOD Creating an EFFECT.

    Inputs for risk scenario identification

    Risk analysis

    Critical assets

    ERP, CRM, FMS, LMS

    Operational technology

    Sensitive or regulated data

    Threat agents

    Cybercriminals

    Methods

    Compromise end user devices through social engineering attacks,. Compromise networks through external exposures and software vulnerabilities.

    Identify and crack administrative account. Escalate privileges. Move laterally.

    Collect data, destroy backups, exfiltrate data for leverage, encrypt systems,.

    Threaten to publish exfiltrated data and demand ransom.

    Adverse effect

    Serious business disruption

    Financial damage

    Reputational damage

    Potential litigation

    Average downtime: 30 Days

    Average clean-up costs: USD 1.4M

    Sample ransomware risk scenario

    Likelihood: Medium
    Impact: High

    Risk scenario

    Cyber-criminals penetrate the network, exfiltrate critical or sensitive data, encrypt critical systems, and demand a ransom to restore access.

    They threaten to publish sensitive data online to pressure the organization to pay the ransom, and reach out to partners, staff, and students directly to increase the pressure on the organization.

    Network access likely occurs through a phishing attack, credential compromise, or remote desktop protocol session.

    Risk statement

    Cybercriminals penetrate the network, compromise backups, exfiltrate and encrypt data, and disrupt computer systems for financial gain.

    Threat Actor:

    • Cybercriminals

    Assets:

    • Critical systems (ERP, FMS, CRM, LMS)
    • HRIS and payroll
    • Data warehouse
    • Office 365 ecosystem (email, Teams)

    Effect:

    • Loss of system availability
    • Lost of data confidentiality

    Methods:

    • Phishing
    • Credential compromise
    • Compromised remote desktop protocol
    • Privilege escalation
    • Lateral movement
    • Data collection
    • Data exfiltration
    • Data encryption

    Step 1.2

    Conduct resilience assessment

    Activities

    1.2.1 Complete resilience assessment

    1.2.2 Establish resilience metrics

    This step will guide you through the following activities :

    • Completing a ransomware resilience assessment
    • Establishing baseline metrics to measure ransomware resilience.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • Subject-matter experts

    .Outcomes of this step

    • Current maturity, targets, and initial gap analysis

    Maturity levels in this blueprint draw on the CMMI framework

    The maturity levels are based on the Capability Maturity Model Integration framework. We outline our modifications below.

    CMMI Maturity Level – Default Descriptions:

    CMMI Maturity Level – Modified for This Assessment:

    • Level 1 – Initial: Unpredictable and reactive. Work gets completed but is often delayed and over budget.
    • Level 2 – Managed: Managed on the project level. Projects are planned, performed, measured, and controlled.
    • Level 3 – Defined: Proactive rather than reactive. Organization-wide standards provide guidance across projects, programs, and portfolios.
    • Level 4 – Quantitatively managed: Measured and controlled. Organization is data-driven, with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders.
    • Level 5 – Optimizing: Stable and flexible. Organization is focused on continuous improvement and is built to pivot and respond to opportunity and change. The organization's stability provides a platform for agility and innovation.
    • Level 1 – Initial/ad hoc: Not well defined and ad hoc in nature.
    • Level 2 – Developing: Established but inconsistent and incomplete.
    • Level 3 – Defined: Formally established, documented, and repeatable.
    • Level 4 – Managed and measurable: Managed using qualitative and quantitative data to ensure alignment with business requirements.
    • Level 5 – Optimizing: Qualitative and quantitative data is used to continually improve.

    (Source: CMMI Institute, CMMI Levels of Capability and Performance)

    Info-Tech's ransomware resilience framework

    Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.

    Prioritize protection

    Put controls in place to harden your environment, train savvy end users, and prevent incursions.

    Support recovery

    Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

    Protect Detect Respond

    Recover

    Threat preparedness

    Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.

    Awareness and training

    Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.

    Perimeter security

    Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.

    Respond and recover

    Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.

    Access management

    Review the user access management program, policies and procedures to ensure they are ransomware-ready.

    Vulnerability management

    Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.

    1.2.1 Complete the resilience assessment

    2-3 hours

    Use the Ransomware Resilience Assessment Tool to assess maturity of existing controls, establish a target state, and identify an initial set of initiatives to improve ransomware resilience.

    Keep the assessment tool on hand to add gap closure initiatives as you proceed through the project.

    Download the Ransomware Resilience Assessment

    Outcomes:

    • Capture baseline resilience metrics to measure progress over time.
      • Low scores are common. Use them to make the case for security investment.
      • Clarify the breadth of security controls.
      • Security controls intersect with a number of key processes and technologies, each of which are critical to ransomware resilience.
    • Key gaps identified.
      • Allocate more time to subsections with lower scores.
      • Repeat the scorecard at least annually to clarify remaining areas to address.

    Input

    • Understanding of current security controls

    Output

    • Current maturity, targets, and gaps

    Materials

    • Ransomware Resilience Assessment Tool

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of the Ransomeware Resilience Assessment Table from Info-Tech's Ransomware Resilience Assessment Blueprint.

    1.2.2 Establish resilience metrics

    Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.

    Measure metrics at the start of the project to establish a baseline, as the project nears completion to measure progress.

    Attack workflow Process Metric Target trend Current Goal
    GET IN Vulnerability Management % Critical patches applied Higher is better
    Vulnerability Management # of external exposures Fewer is better
    Security Awareness Training % of users tested for phishing Higher is better
    SPREAD Identity and Access Management Adm accounts / 1000 users Lower is better
    Identity and Access Management % of users enrolled for MFA Higher is better
    Security Incident Management Avg time to detect Lower is better
    PROFIT Security Incident Management Avg time to resolve Lower is better
    Backup and Disaster Recovery % critical assets with recovery test Higher is better
    Backup and Disaster Recovery % backup to immutable storage Higher is better

    Phase 2

    Improve protection and detection capabilities

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will walk you through the following activities:

    • Assessing common ransomware attack vectors.
    • Identifying countermeasures to improve protection and detection capabilities.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Build Ransomware Resilience

    Step 2.1

    Assess attack vectors

    Activities

    2.1.1 Assess ransomware threat preparedness

    2.1.2 Determine the impact of ransomware techniques on your environment

    This step involves the following activities:

    • Assessing ransomware threat preparedness.
    • Configuring the threat preparedness tool.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Outcomes of this step

    Assess risks associated with common ransomware attack vectors.

    Improve protection and detection capabilities

    Use the MITRE attack framework to prepare

    This phase draws on MITRE to improve ransomware protection and detection capabilities

    • The activities in this phase provide guidance on how to use the MITRE attack framework to protect your organizations against common ransomware techniques and tactics, and detect incursions.
    • You will:
      • Review common ransomware tactics and techniques.
      • Assess their impact on your environment.
      • Identify relevant countermeasures.
    • The Enterprise Threat Preparedness Workbook included with the project blueprint will be set up to deal with common ransomware threats and tactics.

    Download the Enterprise Threat Preparedness Workbook

    Review ransomware tactics and techniques

    Ransomware attack workflow

    Deliver phishing email designed to avoid spam filter.

    Launch malware undetected.

    Identify user accounts.

    Target an admin account.

    Use brute force tactics to crack it.

    Move through the network. Collect data.

    Infect critical systems and backups to limit recovery options.

    Exfiltrate data to gain leverage.

    Encrypt data, which triggers alert.

    Deliver ransom note.

    Associated MITRE tactics and techniques

    • Initial access
    • Execution
    • Privilege escalation
    • Credential access
    • Lateral movement
    • Collection
    • Data Exfiltration
    • Data encryption

    Most common ransomware attack vectors

    • Phishing and social engineering
    • Exploitation of software vulnerabilities
    • Unsecured external exposures
      • e.g. remote desktop protocols
    • Malware infections
      • Email attachments
      • Web pages
      • Pop-ups
      • Removable media

    2.1.1 Assess ransomware threat preparedness

    Estimated Time: 1-4 hours

    1. Read through the instructions in the Enterprise Threat Preparedness Workbook.
    2. Select ransomware attack tactics to analyze. Use the workbook to understand:
      1. Risks associated with each attack vector.
      2. Existing controls that can help you protect the organization and detect an incursion.
    3. This initial analysis is meant to help you understand your risk before you apply additional controls.

    Once you're comfortable, follow the instructions on the following pages to configure the MITRE ransomware analysis and identify how to improve your protection and detection capabilities.

    Download the Enterprise Threat Preparedness Workbook

    Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    2.1.2 Determine the impact of techniques

    Estimated Time: 1-4 hours

    1. The Enterprise Threat Preparedness Workbook included with the project blueprint is set up to deal with common ransomware use cases.

    If you would like to change the set-up, go through the following steps.

    • Review the enterprise matrix. Select the right level of granularity for your analysis. If you are new to threat preparedness exercises, the Technique Level is a good starting point.
    • As you move through each tactic, align each sheet to your chosen technique domain to ensure the granularity of your analysis is consistent.
    • Read the tactics sheet from left to right. Determine the impact of the technique on your environment. For each control, indicate current mitigation levels using the dropdown list.

    The following slides walk you through the process with screenshots from the workbook.

    Download the Enterprise Threat Preparedness Workbook

    Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Select the domain for the analysis

    • The Tactics Dashboard is a live feed of your overall preparedness for the potential attack vectors that your organization may face. These 14 tactics correspond to the Enterprise Matrix used by the MITRE ATT&CK® framework.
    • The technique domain on the right side of the sheet is split in two main groups:
    • The Technique Level
      • - High-level techniques that an attacker may use to gain entry to your network.
      • - The Technique Level is a great starting point if you are new to threat preparedness.
    • The Sub-Technique Level
      • - Individual sub-techniques found throughout the MITRE ATT&CK® Framework.
      • - More mature organizations will find the Sub-Technique Level generates a deeper and more precise understanding of their current preparedness.

    Info-Tech Insight

    Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.

    This is the first screenshot from Info-Tech's Tactic Preparedness Assessment Dashboard.

    Keep an eye on the enterprise matrix

    As you fill out the Tactic tabs with your evaluation, the overall reading will display the average of your overall preparedness for that tactic.

    Choosing the Technique Domain level will increase the accuracy of the reporting at the cost of speed.

    The Technique level is faster but provides less specifics for each control and analyzes them as a group.

    The Sub-Technique level is much more granular, but each tactic and technique has several sub-techniques that you will need to account for.

    Check with the dashboard to see the associated risk level for each of the tactics based on the legend. Tactics that appear white have not yet been assessed or are rated as "N/A" (not applicable).

    This is the second screenshot from Info-Tech's Tactic Preparedness Assessment Dashboard.

    When you select your Technique Domain, you cannot change it again. Changing the domain mid-analysis will introduce inaccuracies in your security preparedness.

    Configure the tactics tabs

    • Each tactic has a corresponding tab at the bottom of the Excel workbook.
      Adjusting the Technique Domain level will change the number of controls shown.
    • Next, align the sheet to the domain you selected on Tab 2 before you continue. As shown in the example to the right,
      • Select "1" for Technique Level.
      • Select "2" for Sub-Technique Level.
    • This will collapse the controls to your chosen level of granularity.

    This is a screenshot showing how you can configure the tactics tab of the Ransomware Threat Preparedness Workbook

    Read tactic sheets from left to right

    This is a screenshot of the tactics tab of the Ransomware Threat Preparedness Workbook

    Technique:

    How an attacker will attempt to achieve their goals through a specific action.

    ID:

    The corresponding ID number on the MITRE ATT&CK® Matrix for quick reference.

    Impact of the Technique(s):

    If an attack of this type is successful on your network, how deep does the damage run?

    Current Mitigations:

    What security protocols do you have in place right now that can help prevent an attacker from successfully executing this attack technique? The rating is based on the CMMI scale.

    Determine the impact of the technique

    • For each control, indicate the current mitigation level using the dropdown list.
    • Only use "N/A" if you are confident that the control is not required in your organization.

    Info-Tech Insight

    We highly recommend that you write comments about your current-state security protocols. First, it's great to have documented your thought processes in the event of a threat modeling session. Second, you can speak to deficits clearly, when asked.

    This is the second screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Review technique preparedness

    • If you have chosen the Technique level, the tool should resemble this image:
      • High-level controls are analyzed, and sub-controls hidden.
      • The sub-techniques under the broader technique show how a successful attack from this vector would impact your network.
    • Each sub-technique has a note for additional context:
      • Under Impact, select the overall impact for the listed controls to represent how damaging you believe the controls to be.
      • Next select your current preparedness maturity in terms of preparedness for the same techniques. Ask yourself "What do I have that contributes to blocking this technique?"

    This is the third screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Info-Tech Insight

    You may discover that you have little to no mitigation actions in place to deal with one or many of these techniques. However, look at this discovery as a positive: You've learned more about the potential vectors and can actively work toward remediating them rather than hoping that a breach never happens through one of these avenues.

    Review sub-technique preparedness

    If you have chosen the Sub-Technique level, the tool should resemble this image.

    • The granular controls are being analyzed. However, the grouped controls will still appear. It is important to not fill the grouped sections, to make sure the calculations run properly.
    • The average of your sub-techniques will be calculated to show your overall preparedness level.
    • Look at the sub-techniques under the broader technique and consider how a successful attack from this vector would impact your network.

    Each sub-technique has a note for additional context and understanding about what the techniques are seeking to do and how they may impact your enterprise.

    • Because of the enhanced granularity, the final risk score is more representative of an enterprise's current mitigation capabilities.
    This is the fourth screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Step 2.2

    Identify countermeasures

    Activities

    2.2.1 Identify countermeasures

    This step involves the following activities:

    • Identifying countermeasures

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Outcomes of this step

    Identification of countermeasures to common ransomware techniques, and tactics to improve protection and detection capabilities.

    Improve Protection and Detection Capabilities

    Review technique countermeasures

    As you work through the tool, your dashboard will prioritize your threat preparedness for each of the various attack techniques to give you an overall impression of your preparedness.

    For each action, the tool includes detection and remediation actions for you to consider either for implementation or as table stakes for your next threat modeling sessions.

    Note: Some sheets will have the same controls. However, the context of the attack technique may change your answers. Be sure to read the tactic and technique that you are on when responding to the controls.

    This is an image of the Privilege Escalation Tactic Analysis Table

    This is an image of the Defense Evasion Tactic Analysis Table

    Prioritize the analysis of ransomware tactics and sub-techniques identified on slide 45. If your initial analysis in Activity 2.2.1 determined that you have robust security protocols for some of the attack vectors, set these domains aside.

    2.2.1 Identify countermeasures

    Estimated Time: 1-4 hours

    1. Review the output of the Enterprise Threat Preparedness Workbook. Remediation efforts are on the right side of the sheet. These are categorized as either detection actions or mitigation actions.
      1. Detection actions:
      • What can you do before an attack occurs, and how can you block attacks? Detection actions may thwart an attack before it ever occurs.
    2. Mitigation actions:
      • If an attacker is successful through one of the attack methods, how do you lessen the impact of the technique? Mitigation actions address this function to slow and hinder the potential spread or damage of a successful attack.
  • Detection and mitigation measures are associated with each technique and sub-technique. Not all techniques will be able to be detected properly or mitigated. However, understanding their relationships can better prepare your defensive protocols.
  • Add relevant control actions to the initiative list in the Ransomware Resilience Assessment.
  • Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.
    • Outputs from the Threat Preparedness Workbook.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook
    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Phase 3

    Improve response and recovery capabilities

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will guide you through the following steps:

    • Documenting your threat escalation protocol.
    • Identify response steps and gaps.
    • Update your response workflow and runbook.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)

    Build Ransomware Resilience

    Step 3.1

    Review security incident management plan

    Activities

    3.1.1 Review the workflow and runbook templates

    3.1.2 Update/define your threat escalation protocol

    This step will walk you through the following activities:

    • Reviewing the example Workflow and Runbook
    • Updating and defining your threat escalation protocol.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Clear escalation path for critical incidents.
    • Common understanding of incident severity that will drive escalation.

    Improve response and recovery capabilities

    3.1.1 Review the workflow and runbook templates

    30 minutes

    This blueprint includes sample information in the Ransomware Response Workflow Template and Ransomware Response Runbook Template to use as a starting points for the steps in Phase 3, including documenting your threat escalation protocol.

    • The Ransomware Response Workflow Template contains an example of a high-level security incident management workflow for a ransomware attack. This provides a structure to follow for the tabletop planning exercise and a starting point for your ransomware response workflow.
      The Workflow is aimed at incident commanders and team leads. It provides an at-a-glance view of the high-level steps and interactions between stakeholders to help leaders coordinate response.
    • The Ransomware Response Runbook Template is an example of a security incident management runbook for a ransomware attack. This includes a section for a threat escalation protocol that you can use as a starting point.
      The Runbook is aimed at the teams executing the response. It provides more specific actions that need to be executed at each phase of the incident response.

    Download the Ransomware Response Workflow Template

    Download the Ransomware Response Runbook Template

    Input

    • No Input Required

    Output

    • Visualize the end goal

    Materials

    • Example workflow and runbook in this blueprint

    Participants

    • Security Incident Response Team (SIRT)

    Two overlapping screenshots are depicted, including the table of contents from the Ransomware Response Runbook.

    3.1.2 Update/define your threat escalation protocol

    1-2 hours

    Document the Threat Escalation Protocol sections in the Ransomware Response Workflow Template or review/update your existing runbook. The threat escalation protocol defines which stakeholders to involve in the incident management process, depending on impact and scope. Specifically, you will need to define the following:

    Impact and scope criteria: Impact considers factors such as the criticality of the system/data, whether PII is at risk, and whether public notification is required. Scope considers how many systems or users are impacted.

    Severity assessment: Define the severity levels based on impact and scope criteria.

    Relevant stakeholders: Identify stakeholders to notify for each severity level, which can include external stakeholders.

    If you need additional guidance, see Info-Tech's Develop and Implement a Security Incident Management Program blueprint, which takes a broader look at security incidents.

    Input

    • Current escalation process (formal or informal).

    Output

    • Define criteria for severity levels and relevant stakeholders.

    Materials

    • Ransomware Response Workflow Template

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of the Threat Escalation Protocol Criteria and Stakeholders.

    Step 3.2

    Run Tabletop Test (IT)

    Activities

    3.2.1 Define scenarios for a range of incidents

    3.2.2 Run a tabletop planning exercise

    This step will guide you through the following activities:

    • Defining scenarios for a range of incidents.
    • Running a tabletop planning exercise.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • Other stakeholders (as relevant)

    Outcomes of this step

    • Current-state incident response workflow, including stakeholders, steps, timeline.
    • Process and technology gaps to be addressed.

    Improve response and recovery capabilities

    3.2.1 Define scenarios for a range of incidents

    30 minutes

    As a group, collaborate to define scenarios that enable you to develop incident response details for a wide range of potential incidents. Below are example scenarios:

    • Scenario 1: An isolated attack on one key system. The database for a critical application is compromised. Assume the attack was not detected until files were encrypted, but that you can carry out a repair-in-place by wiping the server and restoring from backups.
    • Scenario 2: A site-wide impact that warrants broader disaster recovery. Several critical systems are compromised. It would take too long to repair in-place, so you need to failover to your DR environment, in addition to executing security response steps. (Note: If you don't have a DRP, see Info-Tech's Create a Right-Sized Disaster Recovery Plan.)
    • Scenario 3: A critical outsourced service or cloud service is compromised. You need to work with the vendor to determine the scope of impact and execute a response. This includes determining if your on-prem systems were also compromised.
    • Scenario 4: One or multiple end-user devices are compromised. Your response to the above scenarios would include assessing end-user devices as a possible source or secondary attack, but this scenario would provide more focus on the containing an attack on end-user devices.

    Note: The above is too much to execute in one 30-minute session, so plan a series of exercises as outlined on the next slide.

    Input

    • No input required

    Output

    • Determine the scope of your tabletop planning exercises

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    Optimize the time spent by participants by running a series of focused exercises

    Not all stakeholders need to be present at every tabletop planning exercise. First, run an exercise with IT that focuses on the technical response. Run a second tabletop for non-IT stakeholders that focuses on the non-IT response, such as crisis communications, working with external stakeholders (e.g. law enforcement, cyberinsurance).

    Sample schedule:

    • Q1: Hold two sessions that run Scenarios 1 and 2 with relevant IT participants (see Activity 3.2.1). The focus for these sessions will be primarily on the technical response. For example, include notifying leadership and their role in decision making, but don't expand further on the details of their process. Similarly, don't invite non-IT participants to these sessions so you can focus first on understanding the IT response. Invite executives to the Q2 exercise, where they will have more opportunity to be involved.
    • Q2: Hold one session with the SIRT and non-IT stakeholders. Use the results of the Q1 exercises as a starting point and expand on the non-IT response steps (e.g. notifying external parties, executive decisions on response options).
    • Q3 and Q4: Run other sessions (e.g. for Scenarios 3 and 4) with relevant stakeholders. Ensure your ransomware incident response plan covers a wide range of possible scenarios.
    • Run ongoing exercises at least annually. Once you have a solid ransomware incident response plan, incorporate ransomware-based tabletop planning exercises into your overall security incident management testing and maintenance schedule.

    Info-Tech Insight

    Schedule these sessions well in advance to ensure appropriate resources are available. Document this in an annual test plan summary that outlines the scope, participants, and dates and times for the planned sessions.

    3.2.2 Run a tabletop planning exercise

    1-2 hours

    Remember that the goal is a deeper dive into how you would respond to an attack so you can clarify steps and gaps. This is not meant to just be a read-through of your plan. Follow the guidelines below:

    1. Select your scenario and invite relevant participants (see the previous slides).
    2. Guide participants through the incident and capture the steps and gaps along the way. Focus on one stakeholder at a time through each phase but be sure to get input from everyone. For example, focus on the Service Desk's steps for detection, then do the same as relevant to other stakeholders. Move on to analysis and do the same. (Tip: The distinction between phases is not always clear, and that's okay. Similarly, eradication and recovery might be the same set of steps. Focus on capturing the detail; you can clarify the relevant phase later.)
    3. Record the results (e.g. capture it in Visio) for reference purposes. (Tip: You can run the exercise directly in Visio. However, there's a risk that the tool may become a distraction. Enlist a scribe who is proficient with Visio so you don't need to wait for information to be captured and plan to save the detailed formatting and revising for later. )

    Refer to the Ransomware Tabletop Planning Results – Example as a guide for what to capture. Aim for more detail than found in your Ransomware Response Workflow (but not runbook-level detail).

    Download the Ransomware Tabletop Planning Results – Example

    Input

    • Baseline ransomware response workflow

    Output

    • Clarify your response workflow, capabilities, and gaps

    Materials

    • Whiteboard or sticky notes or index cards, or a shared screen

    Participants

    • Security Incident Response Team (SIRT)

    This is an example of a Ransomware Response Tabletop Planning Results Page.

    Step 3.3

    Document Workflow and Runbook

    Activities

    3.3.1 Update your ransomware response workflow

    3.3.2 Update your ransomware response runbook

    This step will guide you through the following activities:

    • Updating your ransomware response workflow.
    • Updating your ransomware response runbook.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • An updated incident response workflow and runbook based on current capabilities.

    Improve response and recovery capabilities

    3.3.1 Update your ransomware response workflow

    1 hour

    Use the results from your tabletop planning exercises (Activity 3.2.2) to update and clarify your ransomware response workflow. For example:

    • Update stakeholder swim-lanes: Clarify which stakeholders need a swim lane (e.g. where interactions between groups needs to be clarified). For example, consider an SIRT swim-lane that combines the relevant technical response roles, but have separate swim-lanes for other groups that the SIRT interacts with (e.g. Service Desk, the Executive Team).
    • Update workflow steps: Use the detail from the tabletop exercises to clarify and/or add steps, as well as further define the interactions between swim-lanes.(Tip: Your workflow needs to account for a range of scenarios. It typically won't be as specific as the tabletop planning results, which focus on only one scenario.)
    • Clarify the overall the workflow: Look for and correct any remaining areas of confusion and clutter. For example, consider adding "Go To" connectors to minimize lines crossing each other, adding color-coding to highlight key related steps (e.g. any communication steps), and/or resizing swim-lanes to reduce the overall size of the workflow to make it easier to read.
    • Repeat the above after each exercise: Continue to refine the workflow as needed until you reach the stage where you just need to validate that your workflow is still accurate.

    Input

    • Results from tabletop planning exercises (Activity 3.2.2)

    Output

    • Clarify your response workflow

    Materials

    • Ransomware Response Workflow

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot from the ransomeware response tabletop planning

    3.3.2 Update your ransomware response runbook

    1 hour

    Use the results from your tabletop planning exercises (Activity 3.2.2) to update your ransomware response runbook. For example:

    • Align stakeholder sections with the workflow: Each stakeholder swim-lane in the workflow needs its own section in the runbook.
    • Update incident response steps: Use the detail from the tabletop exercise to clarify instructions for each stakeholder. This can include outlining specific actions, defining which stakeholders to work with, and referencing relevant documentation (e.g. vendor documentation, step-by-step restore procedures). (Tip: As with the workflow, the runbook needs to account for a range of scenarios, so it will include a list of actions that might need to be taken depending on the incident, as illustrated in the example runbook.)
    • Review and update your threat escalation protocol: It's best to define your threat escalation protocol before the tabletop planning exercise to help identify participants and avoid confusion. Now use the exercise results to validate or update that documentation.
    • Repeat the above after each exercise. Continue to refine your runbook as needed until you reach the stage where you just need to validate that your runbook is still accurate.

    Input

    • Results from tabletop planning exercises (Activity 3.2.2)

    Output

    • Clarified response runbook

    Materials

    • Ransomware Response Workflow

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot of the Ransomware Response Runbook

    Phase 4

    Improve ransomware resilience

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will guide you through the following steps:

    • Identifying initiatives to improve ransomware resilience.
    • Prioritizing initiatives in a project roadmap.
    • Communicating status and recommendations.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)

    Build Ransomware Resilience

    Step 4.1

    Run Tabletop Test (leadership)

    Activities

    • 4.1.1 Identify initiatives to close gaps and improve resilience
    • 4.1.2 Review broader strategies to improve your overall security program

    This step will walk you through the following activities:

    • Identifying initiatives to close gaps and improve resilience.
    • Reviewing broader strategies to improve your overall security program.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Specific potential initiatives based on a review of the gaps.
    • Broader potential initiatives to improve your overall security program.

    Improve ransomware resilience

    4.1.1 Identify initiatives to close gaps and improve resilience

    1 hour

    1. Use the results from the activities you have completed to identify initiatives to improve your ransomware readiness.
    2. Set up a blank spreadsheet with two columns and label them "Gaps" and "Initiatives." (It will be easier to copy the gaps and initiatives from this spreadsheet to you project roadmap, rather than use the Gap Initiative column in the Ransomware Readiness Maturity Assessment Tool.)
    3. Review your tabletop planning results:
      1. Summarize the gaps in the "Gaps" column in your spreadsheet created for this activity.
      2. For each gap, write down potential initiatives to address the gap.
      3. Where possible, combine similar gaps and initiatives. Similarly, the same initiative might address multiple gaps, so you don't need to identify a distinct initiative for every gap.
    4. Review the results of your maturity assessment completed in Phase 1 to identify additional gaps and initiatives in the spreadsheet created for this activity.

    Input

    • Tabletop planning results
    • Maturity assessment

    Output

    • Identify initiatives to improve ransomware readiness

    Materials

    • Blank spreadsheet

    Participants

    • Security Incident Response Team (SIRT)

    4.1.2 Review broader strategies to improve your overall security program

    1 hour

    1. Review the following considerations as outlined on the next few slides:
      • Implement core elements of an effective security program – strategy, operations, and policies. Leverage the work completed in this blueprint to provide context and address your immediate gaps while developing an overarching security strategy based on business requirements, risk tolerance, and overall security considerations. Security operations and policies are key to executing your overall security strategy and day to day incident management.
      • Update your backup strategy to account for ransomware attacks. Consider what your options would be today if your primary backups were infected? If those options aren't very good, your backup strategy needs a refresh.
      • Consider a zero-trust strategy. Zero trust reduces your reliance on perimeter security and moves controls to where the user accesses resources. However, it takes time to implement. Evaluate your readiness for this approach.
    2. As a team, discuss the merits of these strategies in your organization and identify potential initiatives. Depending on what you already have in place, the project may be to evaluate options (e.g. if you have not already initiated zero trust, assign a project to evaluate your options and readiness).

    Input

    • An understanding of your existing security practices and backup strategy.

    Output

    • Broader initiatives to improve ransomware readiness.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    Implement core elements of an effective security program

    There is no silver bullet. Ransomware readiness depends on foundational security best practices. Where budget allows, support that foundation with more advanced AI-based tools that identify abnormal behavior to detect an attack in progress.

    Leverage the following blueprints to implement the foundational elements of an effective security program:

    • Build an Information Security Strategy: Consider the full spectrum of information security, including people, processes, and technologies. Then base your security strategy on the risks facing your organization – not just on best practices – to ensure alignment with business goals and requirements.
    • Develop a Security Operations Strategy: Establish unified security operations that actively monitor security events and threat information, and turn that into appropriate security prevention, detection, analysis, and response processes.
    • Develop and Deploy Security Policies: Improve cybersecurity through effective policies, from acceptable use policies aimed at your end users to system configuration management policies aimed at your IT operations.

    Supplement foundational best practices with AI-based tools to counteract more sophisticated security attacks:

    • The evolution of ransomware gangs and ransomware as a service means the most sophisticated tools designed to bypass perimeter security and endpoint protection are available to a growing number of hackers.
    • Rather than activate the ransomware virus immediately, attackers will traverse the network using legitimate commands to infect as many systems as possible and exfiltrate data without generating alerts, then finally encrypt infected systems.
    • AI-based tools learn what is normal behavior and therefore can recognize unusual traffic (which could be an attack in progress) before it's too late. For example, a "user" accessing a server they've never accessed before.
    • Engage an Info-Tech analyst or consult SoftwareReviews to review products that will add this extra layer of AI-based security.

    Update your backup strategy to account for ransomware attacks

    Apply a defense-in-depth strategy. A daily disk backup that goes offsite once a week isn't good enough.

    In addition to applying your existing security practices to your backup solution (e.g. anti-malware, restricted access), consider:

    • Creating multiple restore points. Your most recent backup might be infected. Frequent backups allow you to be more granular when determining how far you need to roll back.
    • Having offsite backups and using different storage media. Reduce the risk of infected backups by using different storage media (e.g. disk, NAS, tape) and backup locations (e.g. offsite). If you can make the attackers jump through more hoops, you have a greater chance of detecting the attack before all backups are infected.
    • Investing in immutable backups. Most leading backup solutions offer options to ensure backups are immutable (cannot be altered after they are written).
    • Using the BIA you completed in Phase 2 to help decide where to prioritize investments. All the above strategies add to your backup costs and might not be feasible for all data. Use your BIA results to decide which data sets require higher levels of protection.

    This example strategy combines multiple restore points, offsite backup, different storage media, and immutable backups.

    This is an example of a backup strategy to account for ransomware attacks.

    Refer to Info-Tech's Establish an Effective Data Protection Plan blueprint for additional guidance.

    Explore zero-trust initiatives

    Zero trust is a set of principles, not a set of controls.

    Reduces reliance on perimeter security.

    Zero trust is a strategy that reduces reliance on perimeter security and moves controls to where your user accesses resources. It often consolidates security solutions, reduces operating costs, and enables business mobility.

    Zero trust must benefit the business first.

    IT security needs to determine how zero trust initiatives will affect core business processes. It's not a one-size-fits-all approach to IT security. Zero trust is the goal – but some organizations can only get so close to that ideal.

    For more information, see Build a Zero-Trust Roadmap.

    Info-Tech Insight

    A successful zero-trust strategy should evolve. Use an iterative and repeatable process to assess available zero-trust technologies and principles and secure the most relevant protect surfaces. Collaborate with stakeholders to develop a roadmap with targeted solutions and enforceable policies.

    Step 4.2

    Prioritize resilience initiatives

    Activities

    • 4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk
    • 4.2.2 Review the dashboard to fine tune your roadmap

    This step will guide you through the following activities:

    • Prioritizing initiatives based on factors such as effort, cost, and risk.
    • Reviewing the dashboard to fine-tune your roadmap.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • An executive-friendly project roadmap dashboard summarizing your initiatives.
    • A visual representation of the priority, effort, and timeline required for suggested initiatives.

    Review the Ransomware Resilience Assessment

    Tabs 2 and 3 list initiatives relevant to your ransomware readiness improvement efforts.

    • At this point in the project, the Ransomware Resilience Assessment should contain a number of initiatives to improve ransomware resilience.
    • Tab 2 is prepopulated with examples of gap closure actions to consider, which are categorized into initiatives listed on Tab 3.
    • Follow the instructions in the Ransomware Resilience Assessment to:
      • Categorize gap control actions into initiatives.
      • Prioritize initiatives based on cost, effort, and benefit.
      • Construct a roadmap for consideration.

    Download the Ransomware Resilience Assessment

    4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk

    1 hour

    Prioritize initiatives in the Ransomware Resilience Assessment.

    1. The initiatives listed on Tab 3 Initiative List will be copied automatically on Tab 5 Prioritization.
    2. On Tab 1 Setup:
      1. Review the weight you want to assign to the cost and effort criteria.
      2. Update the default values for FTE and Roadmap Start as needed.
    3. Go back to Tab 5 Prioritization:
      1. Fill in the cost, effort, and benefit evaluation criteria for each initiative. Hide optional columns you don't plan to use, to avoid confusion.
      2. Use the cost and benefit scores to prioritize waves and schedule initiatives on Tab 6 Gantt Chart.

    Input

    • Gaps and initiatives identified in Step 4.1

    Output

    • Project roadmap dashboard

    Materials

    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)

    4.2.2 Review the dashboard to fine-tune the roadmap

    1 hour

    Review and update the roadmap dashboard in your Ransomware Resilience Assessment.

    1. Review the Gantt chart to ensure:
      1. The timeline is realistic. Avoid scheduling many high-effort projects at the same time.
      2. Higher-priority items are scheduled sooner than low-priority items.
      3. Short-term projects include quick wins (e.g. high-priority, low-effort items).
      4. It supports the story you wish to communicate (e.g. a plan to address gaps, along with the required effort and timeline).
    2. Update the values on the 5 Prioritization and 6 Gantt Chart tabs based on your review.

    Input

    • Gaps and initiatives identified in Step 4.1

    Output

    • Project roadmap dashboard

    Materials

    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of a sample roadmap for the years 2022-2023

    Step 4.3

    Measure resilience metrics

    Activities

    4.3.1 Summarize status and next steps in an executive presentation

    This step will guide you through the following activities:

    • Summarizing status and next steps in an executive presentation.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Gain stakeholder buy-in by communicating the risk of the status quo and achievable next steps to improve your organization's ransomware readiness.

    Improve ransomware resilience

    4.3.1 Summarize status and next steps in an executive presentation

    1 hour

    Gain stakeholder buy-in by communicating the risk of the status quo and recommendations to reduce that risk. Specifically, capture and present the following from this blueprint:

    • Phase 1: Maturity assessment results, indicating your organization's overall readiness as well as specific areas that need to improve.
    • Phase 2: Business impact results, which objectively quantify the potential impact of downtime and data loss.
    • Phase 3: Current incident response capabilities including steps, timeline, and gaps.
    • Phase 4: Recommended projects to close specific gaps and improve overall ransomware readiness.

    Overall key findings and next steps.

    Download the Ransomware Readiness Summary Presentation Template

    Input

    • Results of all activities in Phases 1-4

    Output

    • Executive presentation

    Materials

    • Ransomware Readiness Summary Presentation Template

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot of level 2 of the ransomware readiness maturity tool.

    Revisit metrics

    Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.

    Revisit metrics as the project nears completion and compare them against your baseline to measure progress.

    Attack workflow Process Metric Target trend Current Goal
    GET IN Vulnerability Management % Critical patches applied Higher is better
    Vulnerability Management # of external exposures Fewer is better
    Security Awareness Training % of users tested for phishing Higher is better
    SPREAD Identity and Access Management Adm accounts / 1000 users Lower is better
    Identity and Access Management % of users enrolled for MFA Higher is better
    Security Incident Management Avg time to detect Lower is better
    PROFIT Security Incident Management Avg time to resolve Lower is better
    Backup and Disaster Recovery % critical assets with recovery test Higher is better
    Backup and Disaster Recovery % backup to immutable storage Higher is better

    Summary of accomplishments

    Project overview

    Project deliverables

    This blueprint helped you create a ransomware incident response plan for your organization, as well as identify ransomware prevention strategies and ransomware prevention best practices.

    • Ransomware Resilience Assessment: Measure your current readiness, then identify people, policy, and technology gaps to address.
    • Ransomware Response Workflow: An at-a-glance summary of the key incident response steps across all relevant stakeholders through each phase of incident management.
    • Ransomware Response Runbook: Includes your threat escalation protocol and detailed response steps to be executed by each stakeholder.
    • Ransomware Tabletop Planning : This deep dive into a ransomware scenario will help you develop a more accurate incident management workflow and runbook, as well as identify gaps to address.
    • Ransomware Project Roadmap: This prioritized list of initiatives will address specific gaps and improve overall ransomware readiness.
    • Ransomware Readiness Summary Presentation: Your executive presentation will communicate the risk of the status quo, present recommended next steps, and drive stakeholder buy-in.

    Project phases

    Phase 1: Assess ransomware resilience

    Phase 2: Protect and detect

    Phase 3: Respond and recover

    Phase 4: Improve ransomware resilience

    Related Info-Tech Research

    Tab 3. Initiative List in the Ransomware Resilience Assessment identifies relevant Info-Tech Research to support common ransomware resilience initiatives.

    Related security blueprints:

    Related disaster recovery blueprints:

    Research Contributors and Experts

    This is an image of Jimmy Tom

    Jimmy Tom
    AVP of Information Technology and Infrastructure
    Financial Horizons

    This is an image of Dan Reisig

    Dan Reisig
    Vice President of Technology
    UV&S

    This is an image of Samuel Sutto

    Samuel Sutton
    Computer Scientist (Retired)
    FBI

    This is an image of Ali Dehghantanha

    Ali Dehghantanha
    Canada Research Chair in Cybersecurity and Threat Intelligence,
    University of Guelph

    This is an image of Gary Rietz

    Gary Rietz
    CIO
    Blommer Chocolate Company

    This is an image of Mark Roman

    Mark Roman
    CIO
    Simon Fraser University

    This is an image of Derrick Whalen

    Derrick Whalen
    Director, IT Services
    Halifax Port Authority

    This is an image of Stuart Gaslonde

    Stuart Gaslonde
    Director of IT & Digital Services
    Falmouth-Exeter Plus

    This is an image of Deborah Curtis

    Deborah Curtis
    CISO
    Placer County

    This is an image of Deuce Sapp

    Deuce Sapp
    VP of IT
    ISCO Industries

    This is an image of Trevor Ward

    Trevor Ward
    Information Security Assurance Manager
    Falmouth-Exeter Plus

    This is an image of Brian Murphy

    Brian Murphy
    IT Manager
    Placer County

    This is an image of Arturo Montalvo

    Arturo Montalvo
    CISO
    Texas General Land Office and Veterans Land Board

    No Image Available

    Mduduzi Dlamini
    IT Systems Manager
    Eswatini Railway

    No Image Available

    Mike Hare
    System Administrator
    18th Circuit Florida Courts

    No Image Available

    Linda Barratt
    Director of Enterprise architecture, IT Security, and Data Analytics, Toronto Community Housing Corporation

    This is an image of Josh Lazar

    Josh Lazar
    CIO
    18th Circuit Florida Courts

    This is an image of Douglas Williamson

    Douglas Williamson
    Director of IT
    Jamaica Civil Aviation Authority

    This is an image of Ira Goldstein

    Ira Goldstein
    Chief Operating Officer
    Herjavec Group

    This is an image of Celine Gravelines

    Celine Gravelines
    Senior Cybersecurity Analyst
    Encryptics

    This is an image of Dan Mathieson

    Dan Mathieson
    Mayor
    City of Stratford

    This is an image of Jacopo Fumagalli

    Jacopo Fumagalli
    CISO
    Omya

    This is an image of Matthew Parker

    Matthew Parker
    Program Manager
    Utah Transit Authority

    Two Additional Anonymous Contributors

    Bibliography

    2019-Data-Breach-Investigations-Report.-Verizon,-May-2019.
    2019-Midyear-Security-Roundup:-Evasive-Threats,-Persistent-Effects.-Trend-Micro,-2019.
    Abrams,-Lawrence.-"Ryuk-Ransomware-Uses-Wake-on-Lan-to-Encrypt-Offline-Devices."-Bleeping-Computer,-14-Jan.-2020.
    Abrams,-Lawrence.-"Sodinokibi-Ransomware-Publishes-Stolen-Data-for-the-First-Time."-Bleeping-Computer,-11-Jan.-2020.
    Canadian-Center-for-Cyber-Security,-"Ransomware-Playbook,"-30-November-2021.-Accessed-21-May-2022.-
    Carnegie-Endowment-for-International-Peace.-"Ransomware:-Prevention-and-Protection."-Accessed-May-2022.-
    Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-26-Data-Integrity:-Detecting-and-Responding-to-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.
    Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-25-Data-Integrity:-Identifying-and-Protecting-Assets-Against-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.-
    Cichonski,-P.,-T.-Millar,-T.-Grance,-and-K.-Scarfone.-"Computer-Security-Incident-Handling-Guide."-SP-800-61-Rev.-2.-NIST,-Aug.-2012.
    Cimpanu,-Catalin.-"Company-shuts-down-because-of-ransomware,-leaves-300-without-jobs-just-before-holidays."-ZDNet,-3-Jan.-2020.
    Cimpanu,-Catalin.-"Ransomware-attack-hits-major-US-data-center-provider."-ZDNet,-5-Dec.-2019.
    CISA,-"Stop-Ransomware,"-Accessed-12-May-2022.
    "CMMI-Levels-of-Capability-and-Performance."-CMMI-Institute.-Accessed-May-2022.-
    Connolly,-Lena-Yuryna,-"An-empirical-study-of-ransomware-attacks-on-organizations:-an-assessment-of-severity-and-salient-factors-affecting-vulnerability."-Journal-of-Cybersecurity,-2020,.-1-18.
    "Definitions:-Backup-vs.-Disaster-Recovery-vs.-High-Availability."-CVM-IT-&-Cloud-Services,-12-Jan.-2017.
    "Don't-Become-a-Ransomware-Target-–-Secure-Your-RDP-Access-Responsibly."-Coveware,-2019.-
    Elementus,-"Rise-of-the-Ransomware-Cartels-"(2022).-YouTube.-Accessed-May-2022.-
    Global-Security-Attitude-Survey.-CrowdStrike,-2019.
    Graham,-Andrew.-"September-Cyberattack-cost-Woodstock-nearly-$670,00:-report."-
    Global-News,-10-Dec.-2019.
    Harris,-K.-"California-2016-Data-Breach-Report."-California-Department-of-Justice,-Feb.-2016.
    Hiscox-Cyber-Readiness-Report-2019.-Hiscox-UK,-2019.
    Cost-of-A-Data-Breach-(2022).-IBM.-Accessed-June-2022.--
    Ikeda,-Scott.-"LifeLabs-Data-Breach,-the-Largest-Ever-in-Canada,-May-Cost-the-Company-Over-$1-Billion-in-Class-Action-Lawsuit."-CPO-Magazine,-2020.
    Kessem,-Limor-and-Mitch-Mayne.-"Definitive-Guide-to-Ransomware."-IBM,-May-2022.
    Krebs,-Brian.-"Ransomware-Gangs-Now-Outing-Victim-Businesses-That-Don't-Pay-Up."-Krebson-Security,-16-Dec.-2019.
    Jaquith,-Andrew-and-Barnaby-Clarke,-"Security-metrics-to-help-protect-against-ransomware."-Panaseer,-July-29,-2021,-Accessed-3-June-2022.
    "LifeLabs-pays-ransom-after-cyberattack-exposes-information-of-15-million-customers-in-B.C.-and-Ontario."-CBC-News,-17-Dec.-2019.
    Matthews,-Lee.-"Louisiana-Suffers-Another-Major-Ransomware-Attack."-Forbes,-20-Nov.-2019.
    NISTIR-8374,-"Ransomware-Risk-Management:-A-Cybersecurity-Framework-Profile."-NIST-Computer-Security-Resource-Center.-February-2022.-Accessed-May-2022.-
    "Ransomware-attack-hits-school-district-twice-in-4-months."-Associated-Press,-10-Sept.-2019.
    "Ransomware-Costs-Double-in-Q4-as-Ryuk,-Sodinokibi-Proliferate."-Coveware,-2019.
    Ransomware-Payments-Rise-as-Public-Sector-is-Targeted,-New-Variants-Enter-the-Market."-Coveware,-2019.
    Rector,-Kevin.-"Baltimore-to-purchase-$20M-in-cyber-insurance-as-it-pays-off-contractors-who-helped-city-recover-from-ransomware."-The-Baltimore-Sun,-16-Oct.-2019.
    "Report:-Average-time-to-detect-and-contain-a-breach-is-287-days."-VentureBeat,-May-25,-2022.-Accessed-June-2022.-
    "Five-Lessons-Learned-from-over-600-Ransomware-Attacks."-Riskrecon.-Mar-2022.-Accessed-May-2022.-
    Rosenberg,-Matthew,-Nicole-Perlroth,-and-David-E.-Sanger.-"-'Chaos-is-the-Point':-Russian-Hackers-and-Trolls-Grow-Stealthier-in-2020."-The-New-York-Times,-10-Jan.-2020.
    Rouse,-Margaret.-"Data-Archiving."-TechTarget,-2018.
    Siegel,-Rachel.-"Florida-city-will-pay-hackers-$600,000-to-get-its-computer-systems-back."-The-Washington-Post,-20-June-2019.
    Sheridan,-Kelly.-"Global-Dwell-Time-Drops-as-Ransomware-Attacks-Accelerate."-DarkReading,-13-April-2021.-Accessed-May-2022.-
    Smith,-Elliot.-"British-Banks-hit-by-hacking-of-foreign-exchange-firm-Travelex."-CNBC,-9-Jan.-2020.
    "The-State-of-Ransomware-2022."-Sophos.-Feb-2022.-Accessed-May-2022.-
    "The-State-of-Ransomware-in-the-U.S.:-2019-Report-for-Q1-to-Q3."-Emsisoft-Malware-Lab,-1-Oct.2019.
    "The-State-of-Ransomware-in-the-U.S.:-Report-and-Statistics-2019."-Emsisoft-Lab,-12-Dec.-2019.
    "The-State-of-Ransomware-in-2020."-Black-Fog,-Dec.-2020.
    Toulas,-Bill.-"Ten-notorious-ransomware-strains-put-to-the-encryption-speed-test."-Bleeping-Computers,-23-Mar-2022.-Accessed-May-2022.
    Tung,-Liam-"This-is-how-long-hackers-will-hide-in-your-network-before-deploying-ransomware-or-being-spotted."-zdnet.-May-19,-2021.-Accessed-June-2022.-

    Develop a Cloud Testing Strategy for Today's Apps

    • Buy Link or Shortcode: {j2store}470|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Cloud Strategy
    • Parent Category Link: /cloud-strategy
    • The growth of the Cloud and the evolution of business operations have shown that traditional testing strategies do not work well with modern applications.
    • Organizations require a new framework around testing cloud applications that account for on-demand scalability and self-provisioning.
    • Expectations of application consumers are continually increasing with speed-to-market and quality being the norm.

    Our Advice

    Critical Insight

    • Cloud technology does not change the traditional testing processes that many organizations have accepted and adopted. It does, however, enhance traditional practices with increased replication capacity, execution speed, and compatibility through its virtual infrastructure and automated processes. Consider these factors when developing the cloud testing strategy.
    • Involving the business in strategy development will keep them engaged and align business drivers with technical initiatives.
    • Implement cloud testing solutions in a well-defined rollout process to ensure business objectives are realized and cloud testing initiatives are optimized.
    • Cloud testing is green and dynamic. Realize the limitations of cloud testing and play on its strengths.

    Impact and Result

    • Engaging in a formal and standardized cloud testing strategy and consistently meeting business needs throughout the organization maintains business buy-in.
    • The Cloud compounds the benefits from virtualization and automation because of the Cloud’s scalability, speed, and off-premise and virtual infrastructure and data storage attributes.
    • Cloud testing presents a new testing avenue. Realize that only certain tests are optimized in the Cloud, i.e., load, stress, and functional testing.

    Develop a Cloud Testing Strategy for Today's Apps Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop a cloud testing strategy.

    Obtain organizational buy-ins and build a standardized and formal cloud testing strategy.

    • Storyboard: Develop a Cloud Testing Strategy for Today's Apps
    • None

    2. Assess the organization's readiness for cloud testing.

    Assess your people, process, and technology for cloud testing readiness and realize areas for improvement.

    • Cloud Testing Readiness Assessment Tool

    3. Plan and manage the resources allocated to each project task.

    Organize and monitor cloud project planning tasks throughout the project's duration.

    • Cloud Testing Project Planning and Monitoring Tool
    [infographic]

    Enterprise Architecture

    • Buy Link or Shortcode: {j2store}43|cart{/j2store}
    • Related Products: {j2store}43|crosssells{/j2store}
    • member rating overall impact (scale of 10): 9.2/10
    • member rating average dollars saved: $28,368
    • member rating average days saved: 24
    • Parent Category Name: Service Planning and Architecture
    • Parent Category Link: service-planning-and-architecture
    Demystify enterprise architecture value with key metrics.

    Enhance Your Solution Architecture Practices

    • Buy Link or Shortcode: {j2store}157|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $33,359 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • In today’s world, business agility is essential to stay competitive. Quick responses to business needs through efficient development and deployment practices is critical for business value delivery.
    • A mature solution architecture practice is the basic necessity for a business to have technical agility.

    Our Advice

    Critical Insight

    Don’t architect for normal situations. That is a shallow approach and leads to decisions that may seem “right” but will not be able to stand up to system elasticity needs.

    Impact and Result

    • Understand the different parts of a continuous security architecture framework and how they may apply to your decisions.
    • Develop a solution architecture for upcoming work (or if there is a desire to reduce tech debt).

    Enhance Your Solution Architecture Practices Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Solution Architecture Practices Deck – A deck to help you develop an approach for or validate existing solution architecture capability.

    Translate stakeholder objectives into architecture requirements, solutions, and changes. Incorporate architecture quality attributes in decisions to increase your architecture’s life. Evaluate your solution architecture from multiple views to obtain a holistic perspective of the range of issues, risks, and opportunities.

    • Enhance Your Solution Architecture Practices – Phases 1-3

    2. Solution Architecture Template – A template to record the results from the exercises to help you define, detail, and make real your digital product vision.

    Identify and detail the value maps that support the business, and discover the architectural quality attribute that is most important for the value maps. Brainstorm solutions for design decisions for data, security, scalability, and performance.

    • Solution Architecture Template
    [infographic]

    Workshop: Enhance Your Solution Architecture Practices

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Vision and Value Maps

    The Purpose

    Document a vision statement for the solution architecture practice (in general) and/or a specific vision statement, if using a single project as an example.

    Document business architecture and capabilities.

    Decompose capabilities into use cases.

    Key Benefits Achieved

    Provide a great foundation for an actionable vision and goals that people can align to.

    Develop a collaborative understanding of business capabilities.

    Develop a collaborative understanding of use cases and personas that are relevant for the business.

    Activities

    1.1 Develop vision statement.

    1.2 Document list of value stream maps and their associated use cases.

    1.3 Document architectural quality attributes needed for use cases using SRME.

    Outputs

    Solution Architecture Template with sections filled out for vision statement canvas and value maps

    2 Continue Vision and Value Maps, Begin Phase 2

    The Purpose

    Map value stream to required architectural attributes.

    Prioritize architecture decisions.

    Discuss and document data architecture.

    Key Benefits Achieved

    An understanding of architectural attributes needed for value streams.

    Conceptual understanding of data architecture.

    Activities

    2.1 Map value stream to required architectural attributes.

    2.2 Prioritize architecture decisions.

    2.3 Discuss and document data architecture.

    Outputs

    Solution Architecture Template with sections filled out for value stream and architecture attribute mapping; a prioritized list of architecture design decisions; and data architecture

    3 Continue Phase 2, Begin Phase 3

    The Purpose

    Discuss security and threat assessment.

    Discuss resolutions to threats via security architecture decisions.

    Discuss system’s scalability needs.

    Key Benefits Achieved

    Decisions for security architecture.

    Decisions for scalability architecture.

    Activities

    3.1 Discuss security and threat assessment.

    3.2 Discuss resolutions to threats via security architecture decisions.

    3.3 Discuss system’s scalability needs.

    Outputs

    Solution Architecture Template with sections filled out for security architecture and scalability design

    4 Continue Phase 3, Start and Finish Phase 4

    The Purpose

    Discuss performance architecture.

    Compile all the architectural decisions into a solutions architecture list.

    Key Benefits Achieved

    A complete solution architecture.

    A set of principles that will form the foundation of solution architecture practices.

    Activities

    4.1 Discuss performance architecture.

    4.2 Compile all the architectural decisions into a solutions architecture list.

    Outputs

    Solution Architecture Template with sections filled out for performance and a complete solution architecture

    Further reading

    Enhance Your Solution Architecture Practice

    Ensure your software systems solution is architected to reflect stakeholders’ short- and long-term needs.

    Analyst Perspective

    Application architecture is a critical foundation for supporting the growth and evolution of application systems. However, the business is willing to exchange the extension of the architecture’s life with quality best practices for the quick delivery of new or enhanced application functionalities. This trade-off may generate immediate benefits to stakeholders, but it will come with high maintenance and upgrade costs in the future, rendering your system legacy early.

    Technical teams know the importance of implementing quality attributes into architecture but are unable to gain approval for the investments. Overcoming this challenge requires a focus of architectural enhancements on specific problem areas with significant business visibility. Then, demonstrate how quality solutions are vital enablers for supporting valuable application functionalities by tracing these solutions to stakeholder objectives and conducting business and technical risk and impact assessments through multiple business and technical perspectives.

    this is a picture of Andrew Kum-Seun

    Andrew Kum-Seun
    Research Manager, Applications
    Info-Tech Research Group

    Enhance Your Solution Architecture

    Ensure your software systems solution is architected to reflect stakeholders’ short- and long-term needs.

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    • Most organizations have some form of solution architecture; however, it may not accurately and sufficiently support the current and rapidly changing business and technical environments.
    • To enable quick delivery, applications are built and integrated haphazardly, typically omitting architecture quality practices.

    Common Obstacles

    • Failing to involve development and stakeholder perspectives in design can lead to short-lived architecture and critical development, testing, and deployment constraints and risks being omitted.
    • Architects are experiencing little traction implementing solutions to improve architecture quality due to the challenge of tracing these solutions back to the right stakeholder objectives.

    Info-Tech's Approach

    • Translate stakeholder objectives into architecture requirements, solutions, and changes. Incorporate architecture quality attributes in decisions to increase your architecture’s life.
    • Evaluate your solution architecture from multiple views to obtain a holistic perspective of the range of issues, risks, and opportunities.
    • Regularly review and recalibrate your solution architecture so that it accurately reflects and supports current stakeholder needs and technical environments.

    Info-Tech Insight

    Well-received applications can have poor architectural qualities. Functional needs often take precedence over quality architecture. Quality must be baked into design, execution, and decision-making practices to ensure the right tradeoffs are made.

    A badly designed solution architecture is the root of all technical evils

    A well-thought-through and strategically designed solution architecture is essential for the long-term success of any software system, and by extension, the organization because:

    1. It will help achieve quality attribute requirements (security, scalability, performance, usability, resiliency, etc.) for a software system.
    2. It can define and refine architectural guiding principles. A solution architecture is not only important for today but also a vision for the future of the system’s ability to react positively to changing business needs.
    3. It can help build usable (and reusable) services. In a fast-moving environment, the convenience of having pre-made plug-and-play architectural objects reduces the risk incurred from knee-jerk reactions in response to unexpected demands.
    4. It can be used to create a roadmap to an IT future state. Architectural concerns support transition planning activities that can lead to the successful implementation of a strategic IT plan.

    Demand for quick delivery makes teams omit architectural best practices, increasing downstream risks

    In its need for speed, a business often doesn’t see the value in making sure architecture is maintainable, reusable, and scalable. This demand leads to an organizational desire for development practices and the procurement of vendors that favor time-to-market over long-term maintainability. Unfortunately, technical teams are pushed to omit design quality and validation best practices.

    What are the business impacts of omitting architecture design practices?

    Poor quality application architecture impedes business growth opportunities, exposes enterprise systems to risks, and consumes precious IT budgets in maintenance that could otherwise be used for innovation and new projects.

    Previous estimations indicate that roughly 50% of security problems are the result of software design. […] Flaws in the architecture of a software system can have a greater impact on various security concerns in the system, and as a result, give more space and flexibility for malicious users.(Source: IEEE Software)

    Errors in software requirements and software design documents are more frequent than errors in the source code itself according to Computer Finance Magazine. Defects introduced during the requirements and design phase are not only more probable but also more severe and more difficult to remove. (Source: iSixSigma)

    Design a solution architecture that can be successful within the constraints and complexities set before you

    APPLICATION ARCHITECTURE…

    … describes the dependencies, structures, constraints, standards, and development guidelines to successfully deliver functional and long-living applications. This artifact lays the foundation to discuss the enhancement of the use and operations of your systems considering existing complexities.

    Good architecture design practices can give you a number of benefits:

    Lowers maintenance costs by revealing key issues and risks early. The Systems Sciences Institute at IBM has reported that the cost to fix an error found after product release was 4 to 5 times as much as one uncovered during design.(iSixSigma)

    Supports the design and implementation activities by providing key insights for project scheduling, work allocation, cost analysis, risk management, and skills development.(IBM: developerWorks)

    Eliminates unnecessary creativity and activities on the part of designers and implementers, which is achieved by imposing the necessary constraints on what they can do and making it clear that deviation from constraints can break the architecture.(IBM: developerWorks)

    Use Info-Tech’s Continuous Solution Architecture (CSA) Framework for designing adaptable systems

    Solution architecture is not a one-size-fits-all conversation. There are many design considerations and trade-offs to keep in mind as a product or services solution is conceptualized, evaluated, tested, and confirmed. The following is a list of good practices that should inform most architecture design decisions.

    Principle 1: Design your solution to have at least two of everything.

    Principle 2: Include a “kill switch” in your fault-isolation design. You should be able to turn off everything you release.

    Principle 3: If it can be monitored, it should be. Use server and audit logs where possible.

    Principle 4: Asynchronous is better than synchronous. Asynchronous design is more complex but worth the processing efficiency it introduces.

    Principle 5: Stateless over stateful: State data should only be used if necessary.

    Principle 6: Go horizonal (scale out) over vertical (scale up).

    Principle 7: Good architecture comes in small packages.

    Principle 8: Practice just-in-time architecture. Delay finalizing an approach for as long as you can.

    Principle 9: X-ilities over features. Quality of an architecture is the foundation over which features exist. A weak foundation can never be obfuscated through shiny features.

    Principle 10: Architect for products not projects. A product is an ongoing concern, while a project is short lived and therefore only focused on what is. A product mindset forces architects to think about what can or should be.

    Principle 11: Design for rollback: When all else fails, you should be able to stand up the previous best state of the system.

    Principle 12: Test the solution architecture like you test your solution’s features.

    CSA should be used for every step in designing a solution’s architecture

    Solution architecture is a technical response to a business need, and like all complex evolutionary systems, must adapt its design for changing circumstances.

    The triggers for changes to existing solution architectures can come from, at least, three sources:

    1. Changing business goals
    2. Existing backlog of technical debt
    3. Solution architecture roadmap

    A solution’s architecture is cross-cutting and multi-dimensional and at the minimum includes:

    • Product Portfolio Strategy
    • Application Architecture
    • Data Architecture
    • Information Architecture
    • Operational Architecture

    along with several qualitative attributes (also called non-functional requirements).

    This image contains a chart which demonstrates the relationship between changing hanging business goals, Existing backlog of technical debt, Solution architecture roadmap, and Product Portfolio Strategy, Application Architecture, Data Architecture, Information Architecture and, Operational Architecture

    Related Research: Product Portfolio Strategy

    Integrate Portfolios to Create Exceptional Customer Value

    • Define an organizing principle that will structure your projects and applications in a way that matters to your stakeholders.
    • Bridge application and project portfolio data using the organizing principle that matters to communicate with stakeholders across the organization.
    • Create a dashboard that brings together the benefits of both project and application portfolio management to improve visibility and decision making.

    Deliver on Your Digital Portfolio Vision

    • Recognize that a vision is only as good as the data that backs it up. Lay out a comprehensive backlog with quality built in that can be effectively communicated and understood through roadmaps.
    • Your intent is only a dream if it cannot be implemented ; define what goes into a release plan via the release canvas.
    • Define a communication approach that lets everyone know where you are heading.

    Related Research: Data, Information & Integration Architecture

    Build a Data Architecture Roadmap

    • Have a framework in place to identify the appropriate solution for the challenge at hand. Our three-phase practical approach will help you build a custom and modernized data architecture.
    • Identify and prioritize the business drivers in which data architecture changes would create the largest overall benefit and determine the corresponding data architecture tiers that need to be addressed.
    • Discover the best-practice trends, measure your current state, and define the targets for your data architecture tactics.
    • Build a cohesive and personalized roadmap for restructuring your data architecture. Manage your decisions and resulting changes.

    Build a Data Pipeline for Reporting and Analytics

    • Understand your high-level business capabilities and interactions across them – your data repositories and flows should be just a digital reflection thereof.
    • Divide your data world in logical verticals overlaid with various speed data progression lanes, i.e. build your data pipeline – and conquer it one segment at a time.
    • Use the most appropriate database design pattern for a given phase/component in your data pipeline progression.

    Related Research:Operational Architecture

    Optimize Application Release Management

    • Acquire release management ownership. Ensure there is appropriate accountability for the speed and quality of the releases passing through the entire pipeline.
    • A release manager has oversight over the entire release process and facilitates the necessary communication between business stakeholders and various IT roles.
    • Instill holistic thinking. Release management includes all steps required to push release and change requests to production along with the hand-off to Operations and Support. Increase the transparency and visibility of the entire pipeline to ensure local optimizations do not generate bottlenecks in other areas.
    • Standardize and lay a strong release management foundation. Optimize the key areas where you are experiencing the most pain and continually improve.

    Build Your Infrastructure Roadmap

    • Increased communication. More information being shared to more people who need it.
    • Better planning. More accurate information being shared.
    • Reduced lead times. Less due diligence or discovery work required as part of project implementations.
    • Faster delivery times. Less low-value work, freeing up more time for project work.

    Related Research:Security Architecture

    Identify Opportunities to Mature the Security Architecture

    • A right-sized security architecture can be created by assessing the complexity of the IT department, the operations currently underway for security, and the perceived value of a security architecture within the organization. This will bring about a deeper understanding of the organizational infrastructure.
    • Developing a security architecture should also result in a list of opportunities (i.e. initiatives) that an organization can integrate into a roadmap. These initiatives will seek to improve security operations and strengthen the IT department’s understanding of security’s role within the organization.
    • A better understanding of the infrastructure will help to save time on determining the correct technologies required from vendors, and therefore, cut down on the amount of vendor noise.
    • Creating a defensible roadmap will assist with justifying future security spend.

    Key deliverable:

    Solution Architecture Template
    Record the results from the exercises to help you define, detail, and make real your digital product vision.

    Blueprint Deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    This image contains screenshots of the deliverables which will be discussed later in this blueprint

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.

    Guided Implementation

    Our team knows that we need to fix a process, but we need assistance to determine where to focus. some check-ins along the way would help keep us on track

    Workshop

    We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place

    Consulting

    Our team does not have the time or the knowledge to take this project on. we need assistance through the entirety of this project.

    Diagnostics and consistent frameworks are used throughout all four options

    Workshop Overview

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4
    Exercises
    1. Articulate an architectural vision
    2. Develop dynamic value stream maps
    1. Create a conceptual map between the value stream, use case, and required architectural attribute
    2. Create a prioritized list of architectural attributes
    3. Develop a data architecture that supports transactional and analytical needs
    1. Document security architecture risks and mitigations
    2. Document scalability architecture
    1. Document performance-enhancing architecture
    2. Bring it all together
    Outcomes
    1. Architecture vision
    2. Dynamic value stream maps (including user stories/personas)
    1. List of required architectural attributes
    2. Architectural attributes prioritized
    3. Data architecture design decisions
    1. Security threat and risk analysis
    2. Security design decisions
    3. Scalability design decisions
    1. Performance design decisions
    2. Finalized decisions

    Guided Implementation

    What does a typical GI on this topic look like?

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.
    This GI is between 8 to 10 calls over the course of approximately four to six months.

    Phase 1 Phase 2 Phase 2
    Call #1:
    Articulate an architectural vision.
    Call #4:
    Continue discussion on value stream mapping and related use cases.
    Call #6:
    Document security design decisions.
    Call #2:
    Discuss value stream mapping and related use cases.
    Call #5:
    • Map the value streams to required architectural attribute.
    • Create a prioritized list of architectural attributes.
    Call #7:
    • Document scalability design decisions.
    • Document performance design decisions.
    Call #3:
    Continue discussion on value stream mapping and related use cases.
    Call #8:
    Bring it all together.

    Phase 1: Visions and Value Maps

    Phase 1

    1.1 Articulate an Architectural Vision
    1.2 Develop Dynamic Value Stream Maps
    1.3 Map Value Streams, Use Cases, and Required Architectural Attributes
    1.4 Create a Prioritized List of Architectural Attributes

    Phase 2

    2.1 Develop a Data Architecture That Supports Transactional and Analytical Needs
    2.2 Document Security Architecture Risks and Mitigations

    Phase 3

    3.1 Document Scalability Architecture
    3.2 Document Performance Enhancing Architecture
    3.3 Combine the Different Architecture Design Decisions Into a Unified Solution Architecture

    This phase will walk you through the following activities:

    • Determine a vision for architecture outcomes
    • Draw dynamic value stream maps
    • Derive architectural design decisions
    • Prioritize design decisions

    This phase involves the following participants:

    • Business Architect
    • Product Owner
    • Application Architect
    • Integration Architect
    • Database Architect
    • Enterprise Architect

    Enhance Your Solution Architecture Practice

    Let’s get this straight: You need an architectural vision

    If you start off by saying I want to architect a system, you’ve already lost. Remember what a vision is for!

    An architectural vision...

    … is your North Star

    Your product vision serves as the single fixed point for product development and delivery.

    … aligns stakeholders

    It gets everyone on the same page.

    … helps focus on meaningful work

    There is no pride in being a rudderless ship. It can also be very expensive.

    And eventually...

    … kick-starts your strategy

    We know where to go, we know who to bring along, and we know the steps to get there. Let’s plan this out.

    An architectural vision is multi-dimensional

    Who is the target customer (or customers)?

    What is the key benefit a customer can get from using our service or product?

    Why should they be engaged with you?

    What makes our service or product better than our competitors?

    (Adapted from Crossing the Chasm)

    Info-Tech Insight

    It doesn’t matter if you are delivering value to internal or external stakeholders, you need a product vision to ensure everyone understands the “why.”

    Use a canvas as the dashboard for your architecture

    The solution architecture canvas provides a single dashboard to quickly define and communicate the most important information about the vision. A canvas is an effective tool for aligning teams and providing an executive summary view.

    This image contains a sample canvas for you to use as the dashboard for your architecture. The sections are: Solution Name, Tracking Info, Vision, Business Goals, Metrics, Personas, and Stakeholders.

    Leverage the solution architecture canvas to state and inform your architecture vision

    This image contains the sample canvas from the previous section, with annotations explaining what to do for each of the headings.

    1.1 Craft a vision statement for your solution’s architecture

    1. Use the product canvas template provided for articulating your solution’s architecture.

    *If needed, remove or add additional data points to fit your purposes.

    There are different statement templates available to help form your product vision statements. Some include:

    • For [our target customer], who [customer’s need], the [product] is a [product category or description] that [unique benefits and selling points]. Unlike [competitors or current methods], our product [main differentiators].
    • We believe (in) a [noun: world, time, state, etc.] where [persona] can [verb: do, make, offer, etc.], for/by/with [benefit/goal].
    • To [verb: empower, unlock, enable, create, etc.] [persona] to [benefit, goal, future state].
    • Our vision is to [verb: build, design, provide] the [goal, future state] to [verb: help, enable, make it easier to...] [persona].

    (Adapted from Crossing the Chasm)

    Download the Solution Architecture Template and document your vision statement.

    Input

    • Business Goals
    • Product Portfolio Vision

    Output

    • Solution Architecture Vision

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Product Owner
    • IT Leadership
    • Business Leadership

    Solution Architecture Canvas: Refine your vision statement

    This image contains a screenshot of the canvas from earlier in the blueprint, with only the annotation for Solution Name: Vision, unique value proposition, elevator pitch, or positioning statement.

    Understand your value streams before determining your solution’s architecture

    Business Strategy

    Sets and communicates the direction of the entire organization.

    Value Stream

    Segments, groups, and creates a coherent narrative as to how an organization creates value.

    Business Capability Map

    Decomposes an organization into its component parts to establish a common language across the organization.

    Execution

    Implements the business strategy through capability building or improvement projects.

    Identify your organization’s goals and define the value streams that support them

    Goal

    Revenue Growth

    Value Streams

    Stream 1- Product Purchase
    Stream 2- Customer Acquisition
    stream 3- Product Financing

    There are many techniques that help with constructing value streams and their capabilities.

    Domain-driven design is a technique that can be used for hypothesizing the value maps, their capabilities, and associated solution architecture.

    Read more about domain-driven design here.

    Value streams can be external (deliver value to customers) or internal (support operations)

      External Perspective

    1. Core value streams are mostly externally facing: they deliver value to either an external/internal customer and they tie to the customer perspective of the strategy map.
    • E.g. customer acquisition, product purchase, product delivery

    Internal Perspective

  • Support value streams are internally facing: they provide the foundational support for an organization to operate.
    • E.g. employee recruitment to retirement

    Key Questions to Ask While Evaluating Value Streams

    • Who are your customers?
    • What benefits do we deliver to them?
    • How do we deliver those benefits?
    • How does the customer receive the benefits?
    This image contains an example of value streams. The main headings are: Customer Acquisitions, Product Purchase, Product Delivery, Confirm Order, Product Financing, and Product Release.

    Value streams highlight the what, not the how

    Value chains set a high-level context, but architectural decisions still need to be made to deal with the dynamism of user interaction and their subsequent expectations. User stories (and/or use cases) and themes are great tools for developing such decisions.

    Product Delivery

    1. Order Confirmation
    2. Order Dispatching
    3. Warehouse Management
    4. Fill Order
    5. Ship Order
    6. Deliver Order

    Use Case and User Story Theme: Confirm Order

    This image shows the relationship between confirming the customer's order online, and the Online Buyer, the Online Catalog, the Integrated Payment, and the Inventory Lookup.

    The use case Confirming Customer’s Online Order has four actors:

    1. An Online Buyer who should be provided with a catalog of products to purchase from.
    2. An Online Catalog that is invoked to display its contents on demand.
    3. An Integrated Payment system for accepting an online form of payment (credit card, Bitcoins, etc.) in a secure transaction.
    4. An Inventory Lookup module that confirms there is stock available to satisfy the Online Buyer’s order.

    Info-Tech Insight

    Each use case theme links back to a feature(s) in the product backlog.

    Related Research

    Deliver on Your Digital Portfolio Vision

    • Recognize that a vision is only as good as the data that backs it up. Lay out a comprehensive backlog with quality built in that can be effectively communicated and understood through roadmaps.
    • Your intent is only a dream if it cannot be implemented – define what goes into a release plan via the release canvas.
    • Define a communication approach that lets everyone know where you are heading.

    Document Your Business Architecture

    • Recognize the opportunity for architecture work, analyze the current and target states of your business strategy, and identify and engage the right stakeholders.
    • Model the business in the form of architectural blueprints.
    • Apply business architecture techniques such as strategy maps, value streams, and business capability maps to design usable and accurate blueprints of the business.
    • Drive business architecture forward to promote real value to the organization.
    • Assess your current projects to determine if you are investing in the right capabilities. Conduct business capability assessments to identify opportunities and to prioritize projects.

    1.2 Document dynamic value stream maps

    1. Create value stream maps that support your business objectives.
    • The value stream maps could belong to existing or new business objectives.
  • For each value stream map:
    • Determine use case(s), the actors, and their expected activity.

    *Refer to the next slide for an example of a dynamic value stream map.

    Download the Solution Architecture Template for documentation of dynamic value stream map

    Input

    • Business Goals
    • Some or All Existing Business Processes
    • Some or All Proposed New Business Processes

    Output

    • Dynamic Value Stream Maps for Multiple Use Roles and Use Cases

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Product Owner
    • Application Architect
    • Integration Architect

    Example: Dynamic value stream map

    Loan Provision*

    *Value Stream Name: Usually has the same name as the capability it illustrates.

    Loan Application**; Disbursement of Fund**; Risk Management**; Service Accounts**

    **Value Stream Components: Specific functions that support the successful delivery of a value stream.

    Disbursement of Funds

    This image shows the relationship between depositing the load into the applicant's bank account, and the Applicant's bank, the Loan Applicant, and the Loan Supplier.

    Style #1:

    The use case Disbursement of Funds has three actors:

    1. A Loan Applicant who applied for a loan and got approved for one.
    2. A Loan Supplier who is the source for the funds.
    3. The Applicant’s Bank that has an account into which the funds are deposited.

    Style # 2:

    Loan Provision: Disbursement of Funds
    Use Case Actors Expectation
    Deposit Loan Into Applicant’s Bank Account
    1. Loan Applicant
    2. Loan Supplier
    3. Applicant’s Bank
    1. Should be able to see deposit in bank account
    2. Deposit funds into account
    3. Accept funds into account

    Mid-Phase 1 Checkpoint

    By now, the following items are ideally completed:

    • Mid-Phase 1 Checkpoint

    Start with an investigation of your architecture’s qualitative needs

    Quality attributes can be viewed as the -ilities (e.g. scalability, usability, reliability) that a software system needs to provide. A system not meeting any of its quality attribute requirements will likely not function as required. Examples of quality attributes are:

    1. Slow system response time
    2. Security breaches that result in loss of personal data
    3. A product feature upgrade that is not compatible with previous versions
    Examples of Qualitative Attributes
    Performance Compatibility Usability Reliability Security Maintainability
    • Response Time
    • Resource Utilization
    • System Capacity
    • Interoperability
    • Accessibility
    • User Interface
    • Intuitiveness
    • Availability
    • Fault Tolerance
    • Recoverability
    • Integrity
    • Non-Repudiation
    • Modularity
    • Reusability
    • Modifiability
    • Testability

    Focus on quality attributes that are architecturally significant.

    • Not every system requires every quality attribute.
    • Pay attention to those attributes without which the solution will not be able to satisfy a user’s abstract* expectation.
    • This set can be considered Architecturally Significant Requirements (ASR). ASR concern scenarios have the most impact on the architecture of the software system.
    • ASR are fundamental needs of the system and changing them in the future can be a costly and difficult exercise.

    *Abstract since attributes like performance and reliability are not directly measurable by a user.

    Stimulus Response Measurement Environmental Context

    For applicable use cases: (*Adapted from S Carnegie Mellon University, 2000)

    1. Determine the Stimulus (temporal, external, or internal) that puts stress on the system. For example, a VPN-accessed hospital management system is used for nurses to login at 8am every weekday.
    2. Describe how the system should Respond to the stimulus. For example, the hospital management system should complete a nurse login under 10ms on initiation of the HTTPS request.
    3. Set a Measurement criteria for determining the success of the response to the stimulus. For example, the system should be able to successfully respond to 98% of the HTTPS requests the first time.
    4. Note the environmental context under which the stimulus occurs, including any unusual conditions in effect.
    • The hospital management system needs to respond in under 10ms under typical load or peak load?
    • What is the time variance of peak loads, for example, an e-commerce system during a Black Friday sale?
    • How big is the peak load?

    Info-Tech Insight

    Three out of four is bad. Don’t architect for normal situations because the solution will be fragile and prone to catastrophic failure under unexpected events.
    Read article: Retail sites crash under weight of online Black Friday shoppers.

    Discover and evaluate the qualitative attributes needed for use cases or user stories

    Deposit Loan Into Applicant’s Bank Account

    Assume analysis is being done for a to-be developed system.

    User Loan Applicant
    Expectations On login to the web system, should be able to see accurate bank balance after loan funds are deposited.
    User signs into the online portal and opens their account balance page.
    Expected Response From System System creates a connection to the data source and renders it on the screen in under 10ms.
    Measurement Under Normal Loads:
    • Response in 10ms or less
    • Data should not be stale
    Under Peak Loads:
    • Response in 15ms or less
    • Data should not be stale
    Quality Attribute Required Required Attribute # 1: Performance
    • Design Decision: Reduce latency by placing authorization components closer to user’s location.
    Required Attribute # 2: Data Reliability
    • Design Decision: Use event-driven ETL pipelines.
    Required Attribute # 3: Scalability
    • Design Decision: Following Principle # 4 of the CSA (JIT Architecture), delay decision until necessary.

    Use cases developed in Phase 1.2 should be used here. (Adapted from the ATAM Utility Tree Method for Quality Attribute Engineering)

    Reduce technical debt while you are at it

    Deposit Loan Into Applicant’s Bank Account

    Assume analysis is being done for a to-be developed system.

    UserLoan Applicant
    ExpectationsOn login to the web system, should be able to see accurate bank balance after loan funds are deposited.
    User signs into the online portal and opens their account balance page.
    Expected Response From SystemSystem creates a connection to the data source and renders it on the screen in under 10ms.
    MeasurementUnder Normal Loads:
    • Response in 10ms or less
    • Data should not be stale
    Under Peak Loads:
    • Response in 15ms or less
    • Data should not be stale
    Quality Attribute RequiredRequired Attribute # 1: Performance
    • Design Decision: Reduce latency by placing authorization components closer to user’s location.

    Required Attribute # 2: Data Reliability

    • Expected is 15ms or less under peak loads, but average latency is 21ms.
    • Design Decision: Use event-driven ETL pipelines.

    Required Attribute # 3: Scalability

    • Data should not be stale and should sync instantaneously, but in some zip codes data synchronization is taking 8 hours.
    • Design Decision: Investigate integrations and flows across application, database, and infrastructure. (Note: A dedicated section for discussing scalability is presented in Phase 2.)

    1.3 Create a conceptual map between the value streams, use cases, and required architectural attributes

    1. For selected use cases completed in Phase 1.2:
    • Map the value stream to its associated use cases.
    • For each use case, list the required architectural quality attributes.

    Download the Solution Architecture Template for mapping value stream components to their required architectural attribute.

    Input

    • Use Cases
    • User Roles
    • Stimulus to System
    • Response From System
    • Response Measurement

    Output

    • List of Architectural Quality Attributes

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Example for Phase 1.3

    Loan Provision

    Loan Application → Disbursement of Funds → Risk Management → Service Accounts

    Value Stream Component Use Case Required Architectural Attribute
    Loan Application UC1: Submit Loan Application
    UC2: Review Loan Application
    UC3: Approve Loan Application
    UCn: ……..
    UC1: Resilience, Data Reliability
    UC2: Data Reliability
    UC3: Scalability, Security, Performance
    UCn: …..
    Disbursement of Funds UC1: Deposit Funds Into Applicant’s Bank Account
    UCn: ……..
    UC1: Performance, Scalability, Data Reliability
    Risk Management ….. …..
    Service Accounts ….. …..

    1.2 Document dynamic value stream maps

    1. Create value stream maps that support your business objectives.
    • The value stream maps could belong to existing or new business objectives.
  • For each value stream map:
    • Determine use case(s), the actors, and their expected activity.

    *Refer to the next slide for an example of a dynamic value stream map.

    Download the Solution Architecture Template for documentation of dynamic value stream map

    Input

    • Business Goals
    • Some or All Existing Business Processes
    • Some or All Proposed New Business Processes

    Output

    • Dynamic Value Stream Maps for Multiple Use Roles and Use Cases

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Product Owner
    • Application Architect
    • Integration Architect

    Example: Dynamic value stream map

    Loan Provision*

    *Value Stream Name: Usually has the same name as the capability it illustrates.

    Loan Application**; Disbursement of Fund**; Risk Management**; Service Accounts**

    **Value Stream Components: Specific functions that support the successful delivery of a value stream.

    Disbursement of Funds

    This image shows the relationship between depositing the load into the applicant's bank account, and the Applicant's bank, the Loan Applicant, and the Loan Supplier.

    Style #1:

    The use case Disbursement of Funds has three actors:

    1. A Loan Applicant who applied for a loan and got approved for one.
    2. A Loan Supplier who is the source for the funds.
    3. The Applicant’s Bank that has an account into which the funds are deposited.

    Style # 2:

    Loan Provision: Disbursement of Funds
    Use Case Actors Expectation
    Deposit Loan Into Applicant’s Bank Account
    1. Loan Applicant
    2. Loan Supplier
    3. Applicant’s Bank
    1. Should be able to see deposit in bank account
    2. Deposit funds into account
    3. Accept funds into account

    Mid-Phase 1 Checkpoint

    By now, the following items are ideally completed:

    • Mid-Phase 1 Checkpoint

    Start with an investigation of your architecture’s qualitative needs

    Quality attributes can be viewed as the -ilities (e.g. scalability, usability, reliability) that a software system needs to provide. A system not meeting any of its quality attribute requirements will likely not function as required. Examples of quality attributes are:

    1. Slow system response time
    2. Security breaches that result in loss of personal data
    3. A product feature upgrade that is not compatible with previous versions
    Examples of Qualitative Attributes
    Performance Compatibility Usability Reliability Security Maintainability
    • Response Time
    • Resource Utilization
    • System Capacity
    • Interoperability
    • Accessibility
    • User Interface
    • Intuitiveness
    • Availability
    • Fault Tolerance
    • Recoverability
    • Integrity
    • Non-Repudiation
    • Modularity
    • Reusability
    • Modifiability
    • Testability

    Focus on quality attributes that are architecturally significant.

    • Not every system requires every quality attribute.
    • Pay attention to those attributes without which the solution will not be able to satisfy a user’s abstract* expectation.
    • This set can be considered Architecturally Significant Requirements (ASR). ASR concern scenarios have the most impact on the architecture of the software system.
    • ASR are fundamental needs of the system and changing them in the future can be a costly and difficult exercise.

    *Abstract since attributes like performance and reliability are not directly measurable by a user.

    Stimulus Response Measurement Environmental Context

    For applicable use cases: (*Adapted from S Carnegie Mellon University, 2000)

    1. Determine the Stimulus (temporal, external, or internal) that puts stress on the system. For example, a VPN-accessed hospital management system is used for nurses to login at 8am every weekday.
    2. Describe how the system should Respond to the stimulus. For example, the hospital management system should complete a nurse login under 10ms on initiation of the HTTPS request.
    3. Set a Measurement criteria for determining the success of the response to the stimulus. For example, the system should be able to successfully respond to 98% of the HTTPS requests the first time.
    4. Note the environmental context under which the stimulus occurs, including any unusual conditions in effect.
    • The hospital management system needs to respond in under 10ms under typical load or peak load?
    • What is the time variance of peak loads, for example, an e-commerce system during a Black Friday sale?
    • How big is the peak load?

    Info-Tech Insight

    Three out of four is bad. Don’t architect for normal situations because the solution will be fragile and prone to catastrophic failure under unexpected events.
    Read article: Retail sites crash under weight of online Black Friday shoppers.

    Discover and evaluate the qualitative attributes needed for use cases or user stories

    Deposit Loan Into Applicant’s Bank Account

    Assume analysis is being done for a to-be developed system.

    User Loan Applicant
    Expectations On login to the web system, should be able to see accurate bank balance after loan funds are deposited.
    User signs into the online portal and opens their account balance page.
    Expected Response From System System creates a connection to the data source and renders it on the screen in under 10ms.
    Measurement Under Normal Loads:
    • Response in 10ms or less
    • Data should not be stale
    Under Peak Loads:
    • Response in 15ms or less
    • Data should not be stale
    Quality Attribute Required Required Attribute # 1: Performance
    • Design Decision: Reduce latency by placing authorization components closer to user’s location.
    Required Attribute # 2: Data Reliability
    • Design Decision: Use event-driven ETL pipelines.
    Required Attribute # 3: Scalability
    • Design Decision: Following Principle # 4 of the CSA (JIT Architecture), delay decision until necessary.

    Use cases developed in Phase 1.2 should be used here. (Adapted from the ATAM Utility Tree Method for Quality Attribute Engineering)

    Reduce technical debt while you are at it

    Deposit Loan Into Applicant’s Bank Account

    Assume analysis is being done for a to-be developed system.

    UserLoan Applicant
    ExpectationsOn login to the web system, should be able to see accurate bank balance after loan funds are deposited.
    User signs into the online portal and opens their account balance page.
    Expected Response From SystemSystem creates a connection to the data source and renders it on the screen in under 10ms.
    MeasurementUnder Normal Loads:
    • Response in 10ms or less
    • Data should not be stale
    Under Peak Loads:
    • Response in 15ms or less
    • Data should not be stale
    Quality Attribute RequiredRequired Attribute # 1: Performance
    • Design Decision: Reduce latency by placing authorization components closer to user’s location.

    Required Attribute # 2: Data Reliability

    • Expected is 15ms or less under peak loads, but average latency is 21ms.
    • Design Decision: Use event-driven ETL pipelines.

    Required Attribute # 3: Scalability

    • Data should not be stale and should sync instantaneously, but in some zip codes data synchronization is taking 8 hours.
    • Design Decision: Investigate integrations and flows across application, database, and infrastructure. (Note: A dedicated section for discussing scalability is presented in Phase 2.)

    1.3 Create a conceptual map between the value streams, use cases, and required architectural attributes

    1. For selected use cases completed in Phase 1.2:
    • Map the value stream to its associated use cases.
    • For each use case, list the required architectural quality attributes.

    Download the Solution Architecture Template for mapping value stream components to their required architectural attribute.

    Input

    • Use Cases
    • User Roles
    • Stimulus to System
    • Response From System
    • Response Measurement

    Output

    • List of Architectural Quality Attributes

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Prioritize architectural quality attributes to ensure a right-engineered solution

    Trade-offs are inherent in solution architecture. Scaling systems may impact performance and weaken security, while fault-tolerance and redundancy may improve availability but at higher than desired costs. In the end, the best solution is not always perfect, but balanced and right-engineered (versus over- or under-engineered).

    Loan Provision

    Loan Application → Disbursement of Funds → Risk Management → Service Accounts

    1. Map architecture attributes against the value stream components.
    • Use individual use cases to determine which attributes are needed for a value stream component.
    This image contains a screenshot of the table showing the importance of scalability, resiliance, performance, security, and data reliability for loan application, disbursement of funds, risk management, and service accounts.

    In our example, the prioritized list of architectural attributes are:

    • Security (4 votes for Very Important)
    • Data Reliability (2 votes for Very Important)
    • Scalability (1 vote for Very Important and 1 vote for Fairly Important) and finally
    • Resilience (1 vote for Very Important, 0 votes for Fairly Important and 1 vote for Mildly Important)
    • Performance (0 votes for Very Important, 2 votes for Fairly Important)

    1.4 Create a prioritized list of architectural attributes (from 1.3)

    1. Using the tabular structure shown on the previous slide:
    • Map each value stream component against architectural quality attributes.
    • For each mapping, indicate its importance using the green, blue, and yellow color scheme.

    Download the Solution Architecture Template and document the list of architectural attributes by priority.

    Input

    • List of Architectural Attributes From 1.3

    Output

    • Prioritized List of Architectural Attributes

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    End of Phase 1

    At the end of this Phase, you should have completed the following activities:

    • Documented a set of dynamic value stream maps along with selected use cases.
    • Using the SRME framework, identified quality attributes for the system under investigation.
    • Prioritized quality attributes for system use cases.

    Phase 2: Multi-Purpose Data and Security Architecture

    Phase 1

    1.1 Articulate an Architectural Vision
    1.2 Develop Dynamic Value Stream Maps
    1.3 Map Value Streams, Use Cases, and Required Architectural Attributes
    1.4 Create a Prioritized List of Architectural Attributes

    Phase 2

    2.1 Develop a Data Architecture That Supports Transactional and Analytical Needs
    2.2 Document Security Architecture Risks and Mitigations

    Phase 3

    3.1 Document Scalability Architecture
    3.2 Document Performance Enhancing Architecture
    3.3 Combine the Different Architecture Design Decisions Into a Unified Solution Architecture

    This phase will walk you through the following activities:

    • Understand the scalability, performance, resilience, and security needs of the business.

    This phase involves the following participants:

    • Business Architect
    • Product Owner
    • Application Architect
    • Integration Architect
    • Database Architect
    • Enterprise Architect

    Enhance Your Solution Architecture Practice

    Fragmented data environments need something to sew them together

    • A full 93% of enterprises have a multi-cloud strategy, with 87% having a hybrid-cloud environment in place.
    • On average, companies have data stored in 2.2 public and 2.2 private clouds as well as in various on-premises data repositories.
    This image contains a breakdown of the cloud infrastructure, including single cloud versus multi-cloud.

    Source: Flexera

    In addition, companies are faced with:

    • Access and integration challenges (Who is sending the data? Who is getting it? Can we trust them?)
    • Data format challenges as data may differ for each consumer and sender of data
    • Infrastructure challenges as data repositories/processors are spread out over public and private clouds, are on premises, or in multi-cloud and hybrid ecosystems
    • Structured vs. unstructured data

    A robust and reliable integrated data architecture is essential for any organization that aspires to be relevant and impactful in its industry.

    Data’s context and influence on a solution’s architecture cannot be overestimated

    Data used to be the new oil. Now it’s the life force of any organization that has serious aspirations of providing profit-generating products and services to customers. Architectural decisions about managing data have a significant impact on the sustainability of a software system as well as on quality attributes such as security, scalability, performance, and availability.

    Storage and Processing go hand in hand and are the mainstay of any data architecture. Due to their central position of importance, an architecture decision for storage and processing must be well thought through or they become the bottleneck in an otherwise sound system.

    Ingestion refers to a system’s ability to accept data as an input from heterogenous sources, in different formats, and at different intervals.

    Dissemination is the set of architectural design decisions that make a system’s data accessible to external consumers. Major concerns involve security for the data in motion, authorization, data format, concurrent requests for data, etc.

    Orchestration takes care of ensuring data is current and reliable, especially for systems that are decentralized and distributed.

    Data architecture requires alignment with a hybrid data management plan

    Most companies have a combination of data. They have data they own using on-premises data sources and on the cloud. Hybrid data management also includes external data, such as social network feeds, financial data, and legal information amongst many others.

    Data integration architectures have typically been put in one of two major integration patterns:

    Application to Application Integration (or “speed matters”) Analytical Data Integrations (or “send it to me when its all done”)
    • This domain is concerned with ensuring communication between processes.
    • Examples include patterns such as Service-Oriented Architecture, REST, Event Hubs and Enterprise Service Buses.
    • This domain is focused on integrating data from transactional processes towards enterprise business intelligence. It supports activities that require well-managed data to generate evidence-based insights.
    • Examples of this pattern are ELT, enterprise data warehouses, and data marts.

    Sidebar

    Difference between real-time, batch, and streaming data movements

    Real-Time

    • Reacts to data in seconds or even quicker.
    • Real-time systems are hard to implement.

    Batch

    • Batch processing deals with a large volume of data all at once and data-related jobs are typically completed simultaneously in non-stop, sequential order.
    • Batch processing is an efficient and low-cost means of data processing.
    • Execution of batch processing jobs can be controlled manually, providing further control over how the system treats its data assets.
    • Batch processing is only useful if there are no requirements for data to be fresh and current. Real-time systems are suited to processing data that requires these attributes.

    Streaming

    • Stream processing allows almost instantaneous analysis of data as it streams from one device to another.
    • Since data is analyzed quickly, storage may not be a concern (since only computed data is stored while raw data can be dispersed).
    • Streaming requires the flow of data into the system to equal the flow of data computing, otherwise issues of data storage and performance can rise.

    Modern data ingestion and dissemination frameworks keep core data assets current and accessible

    Data ingestion and dissemination frameworks are critical for keeping enterprise data current and relevant.

    Data ingestion/dissemination frameworks capture/share data from/to multiple data sources.

    Factors to consider when designing a data ingestion/dissemination architecture

    What is the mode for data movement?

    • The mode for data movement is directly influenced by the size of data being moved and the downstream requirements for data currency.
    • Data can move in real-time, as a batch, or as a stream.

    What is the ingestion/dissemination architecture deployment strategy?

    • Outside of critical security concerns, hosting on the cloud vs. on premises leads to a lower total cost of ownership (TCO) and a higher return on investment (ROI).

    How many different and disparate data sources are sending/receiving data?

    • Stability comes if there is a good idea about the data sources/recipient and their requirements.

    What are the different formats flowing through?

    • Is the data in the form of data blocks? Is it structured, semi-unstructured, or unstructured?

    What are expected performance SLAs as data flow rate changes?

    • Data change rate is defined as the size of changes occurring every hour. It helps in selecting the appropriate tool for data movement.
    • Performance is a derivative of latency and throughput, and therefore, data on a cloud is going to have higher latency and lower throughput then if it is kept on premises.
    • What is the transfer data size? Are there any file compression and/or file splits applied on the data? What is the average and maximum size of a block object per ingestion/dissemination operation?

    What are the security requirements for the data being stored?

    • The ingestion/dissemination framework should be able to work through a secure tunnel to collect/share data if needed.

    Sensible storage and processing strategy can improve performance and scalability and be cost-effective

    The range of options for data storage is staggering...

    … but that’s a good thing because the range of data formats that organizations must deal with is also richer than in the past.

    Different strokes for different workloads.

    The data processing tool to use may depend upon the workloads the system has to manage.

    Expanding upon the Risk Management use case (as part of the Loan Provision Capability), one of the outputs for risk assessment is a report that conducts a statistical analysis of customer profiles and separates those that are possibly risky. The data for this report is spread out across different data systems and will need to be collected in a master data management storage location. The business and data architecture team have discussed three critical system needs, noted below:

    Data Management Requirements for Risk Management Reporting Data Design Decision
    Needs to query millions of relational records quickly
    • Strong indexing
    • Strong caching
    • Message queue
    Needs a storage space for later retrieval of relational data
    • Data storage that scales as needed
    Needs turnkey geo-replication mechanism with document retrieval in milliseconds
    • Add NoSQL with geo-replication and quick document access

    Keep every core data source on the same page through orchestration

    Data orchestration, at its simplest, is the combination of data integration, data processing, and data concurrency management.

    Data pipeline orchestration is a cross-cutting process that manages the dependencies between your data integration tasks and scheduled data jobs.

    A task or application may periodically fail, and therefore, as a part of our data architecture strategy, there must be provisions for scheduling, rescheduling, replaying, monitoring, retrying, and debugging the entire data pipeline in a holistic way.

    Some of the functionality provided by orchestration frameworks are:

    • Job scheduling
    • Job parametrization
    • SLAs tracking, alerting, and notification
    • Dependency management
    • Error management and retries
    • History and audit
    • Data storage for metadata
    • Log aggregation
    Data Orchestration Has Three Stages
    Organize Transform Publicize
    Organizations may have legacy data that needs to be combined with new data. It’s important for the orchestration tool to understand the data it deals with. Transform the data from different sources into one standard type. Make transformed data easily accessible to stakeholders.

    2.1 Discuss and document data architecture decisions

    1. Using the value maps and associated use cases from Phase 1, determine the data system quality attributes.
    2. Use the sample tabular layout on the next slide or develop one of your own.

    Download the Solution Architecture Template for documenting data architecture decisions.

    Input

    • Value Maps and Use Cases

    Output

    • Initial Set of Data Design Decisions

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Example: Data Architecture

    Data Management Requirements for Risk Management Reporting Data Design Decision
    Needs to query millions of relational records quickly
    • Strong indexing
    • Strong caching
    • Message queue
    Needs a storage space for later retrieval of relational data
    • Data storage that scales as needed
    Needs turnkey geo-replication mechanism with document retrieval in milliseconds
    • Add NoSQL with geo-replication and quick document access

    There is no free lunch when making the most sensible security architecture decision; tradeoffs are a necessity

    Ensuring that any real system is secure is a complex process involving tradeoffs against other important quality attributes (such as performance and usability). When architecting a system, we must understand:

    • Its security needs.
    • Its security threat landscape.
    • Known mitigations for those threats to ensure that we create a system with sound security fundamentals.

    The first thing to do when determining security architecture is to conduct a threat and risk assessment (TRA).

    This image contains a sample threat and risk assessment. The steps are Understand: Until we thoroughly understand what we are building, we cannot secure it. Structure what you are building, including: System boundary, System structure, Databases, Deployment platform; Analyze: Use techniques like STRIDE and attack trees to analyze what can go wrong and what security problems this will cause; Mitigate: The security technologies to use, to mitigate your concerns, are discussed here. Decisions about using single sign-on (SSO) or role-based access control (RBAC), encryption, digital signatures, or JWT tokens are made. An important part of this step is to consider tradeoffs when implementing security mechanisms; validate: Validation can be done by experimenting with proposed mitigations, peer discussion, or expert interviews.

    Related Research

    Optimize Security Mitigation Effectiveness Using STRIDE

    • Have a clear picture of:
      • Critical data and data flows
      • Organizational threat exposure
      • Security countermeasure deployment and coverage
    • Understand which threats are appropriately mitigated and which are not.
    • Generate a list of initiatives to close security gaps.
    • Create a quantified risk and security model to reassess program and track improvement.
    • Develop measurable information to present to stakeholders.

    The 3A’s of strong security: authentication, authorization, and auditing

    Authentication

    Authentication mechanisms help systems verify that a user is who they claim to be.

    Examples of authentication mechanisms are:

    • Two-Factor Authentication
    • Single Sign-On
    • Multi-Factor Authentication
    • JWT Over OAUTH

    Authorization

    Authorization helps systems limit access to allowed features, once a user has been authenticated.

    Examples of authentication mechanisms are:

    • RBAC
    • Certificate Based
    • Token Based

    Auditing

    Securely recording security events through auditing proves that our security mechanisms are working as intended.

    Auditing is a function where security teams must collaborate with software engineers early and often to ensure the right kind of audit logs are being captured and recorded.

    Info-Tech Insight

    Defects in your application software can compromise privacy and integrity even if cryptographic controls are in place. A security architecture made after thorough TRA does not override security risk introduced due to irresponsible software design.

    Examples of threat and risk assessments using STRIDE and attack trees

    STRIDE is a threat modeling framework and is composed of:

    • Spoofing or impersonation of someone other than oneself
    • Tampering with data and destroying its integrity
    • Repudiation by bypassing system identity controls
    • Information disclosure to unauthorized persons
    • Denial of service that prevents system or parts of it from being used
    • Elevation of privilege so that attackers get rights they should not have
    Example of using STRIDE for a TRA on a solution using a payment system This image contains a sample attack tree.
    Spoofing PayPal Bad actor can send fraudulent payment request for obtaining funds.
    Tampering PayPal Bad actor accesses data base and can resend fraudulent payment request for obtaining funds.
    Repudiation PayPal Customer claims, incorrectly, their account made a payment they did not authorize.
    Disclosure PayPal Private service database has details leaked and made public.
    Denial of Service PayPal Service is made to slow down through creating a load on the network, causing massive build up of requests
    Elevation of Privilege PayPal Bad actor attempts to enter someone else’s account by entering incorrect password a number of times.

    2.2 Document security architecture risks and mitigations

    1. Using STRIDE, attack tree, or any other framework of choice:
    • Conduct a TRA for use cases identified in Phase 1.2
  • For each threat identified through the TRA, think through the implications of using authentication, authorization, and auditing as a security mechanism.
  • Download the Solution Architecture Template for documenting data architecture decisions.

    Input

    • Dynamic Value Stream Maps

    Output

    • Security Architecture Risks and Mitigations

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Product Owner
    • Security Team
    • Application Architect
    • Integration Architect

    Examples of threat and risk assessments using STRIDE

    Example of using STRIDE for a TRA on a solution using a payment system
    Threat System Component Description Quality Attribute Impacted Resolution
    Spoofing PayPal Bad actor can send fraudulent payment request for obtaining funds. Confidentiality Authorization
    Tampering PayPal Bad actor accesses data base and can resend fraudulent payment request for obtaining funds. Integrity Authorization
    Repudiation PayPal Customer claims, incorrectly, their account made a payment they did not authorize. Integrity Authentication and Logging
    Disclosure PayPal Private service database has details leaked and made public. Confidentiality Authorization
    Denial of Service PayPal Service is made to slow down through creating a load on the network, causing massive build up of requests Availability N/A
    Elevation of Privilege PayPal Bad actor attempts to enter someone else’s account by entering incorrect password a number of times. Confidentiality, Integrity, and Availability Authorization

    Phase 3: Upgrade Your System’s Availability

    Phase 1

    1.1 Articulate an Architectural Vision
    1.2 Develop Dynamic Value Stream Maps
    1.3 Map Value Streams, Use Cases, and Required Architectural Attributes
    1.4 Create a Prioritized List of Architectural Attributes

    Phase 2

    2.1 Develop a Data Architecture That Supports Transactional and Analytical Needs
    2.2 Document Security Architecture Risks and Mitigations

    Phase 3

    3.1 Document Scalability Architecture
    3.2 Document Performance Enhancing Architecture
    3.3 Combine the Different Architecture Design Decisions Into a Unified Solution Architecture

    This phase will walk you through the following activities:

    • Examine architecture for scalable and performant system designs
    • Integrate all design decisions made so far into a solution design decision log

    This phase involves the following participants:

    • Business Architect
    • Product Owner
    • Application Architect
    • Integration Architect
    • Database Architect
    • Enterprise Architect

    Enhance Your Solution Architecture Practice

    In a cloud-inspired system architecture, scalability takes center stage as an architectural concern

    Scale and scope of workloads are more important now than they were, perhaps, a decade and half back. Architects realize that scalability is not an afterthought. Not dealing with it at the outset can have serious consequences should an application workload suddenly exceed expectations.

    Scalability is …

    … the ability of a system to handle varying workloads by either increasing or decreasing the computing resources of the system.

    An increased workload could include:

    • Higher transaction volumes
    • A greater number of users

    Architecting for scalability is …

    … not easy since organizations may not be able to accurately judge, outside of known circumstances, when and why workloads may unexpectedly increase.

    A scalable architecture should be planned at the:

    • Application Level
    • Infrastructure Level
    • Database Level

    The right amount and kind of scalability is …

    … balancing the demands of the system with the supply of attributes.

    If demand from system > supply from system:

    • Services and products are not useable and deny value to customers.

    If supply from system > demand from system:

    • Excess resources have been paid for that are not being used.

    When discussing the scalability needs of a system, investigate the following, at a minimum:

    • In case workloads increase due to higher transaction volumes, will the system be able to cope with the additional stress?
    • In situations where workloads increase, will the system be able to support the additional stress without any major modifications being made to the system?
    • Is the cost associated with handling the increased workloads reasonable for the benefit it provides to the business?
    • Assuming the system doesn’t scale, is there any mechanism for graceful degradation?

    Use evidence-based decision making to ensure a cost-effective yet appropriate scaling strategy

    The best input for an effective scaling strategy is previously gathered traffic data mapped to specific circumstances.

    In some cases, either due to lack of monitoring or the business not being sure of its needs, scalability requirements are hard to determine. In such cases, use stated tactical business objectives to design for scalability. For example, the business might state its desire to achieve a target revenue goal. To accommodate this, a certain number of transactions would need to be conducted, assuming a particular conversion rate.

    Scaling strategies can be based on Vertical or Horizontal expansion of resources.
    Pros Cons
    Vertical
    Scale up through use of more powerful but limited number of resources
    • May not require frequent upgrades.
    • Since data is managed through a limited number of resources, it is easier to share and keep current.
    • Costly upfront.
    • Application, database, and infrastructure may not be able to make optimal use of extra processing power.
    • As the new, more powerful resource is provisioned, systems may experience downtime.
    • Lacks redundancy due to limited points of failure.
    • Performance is constrained by the upper limits of the infrastructure involved.
    Horizontal
    Scale out through use of similarly powered but larger quantity of resources
    • Cost-effective upfront.
    • System downtime is minimal, when scaling is being performed.
    • More redundance and fault-tolerance is possible since there are many nodes involved, and therefore, can replace failed nodes.
    • Performance can scale out as more nodes are added.
    • Upgrades may occur more often than in vertical scaling.
    • Increases machine footprints and administrative costs over time.
    • Data may be partitioned on multiple nodes, leading to administrative and data currency challenges.

    Info-Tech Insight

    • Scalability is the one attribute that sparks a lot of trade-off discussions. Scalable solutions may have to compromise on performance, cost, and data reliability.
    • Horizontal scalability is mostly always preferable over vertical scalability.

    Sidebar

    The many flavors of horizontal scaling

    Traffic Shard-ing

    Through this mechanism, incoming traffic is partitioned around a characteristic of the workload flowing in. Examples of partitioning characteristics are user groups, geo-location, and transaction type.

    Beware of:

    • Lack of data currency across shards.

    Copy and Paste

    As the name suggests, clone the compute resources along with the underlying databases. The systems will use a load balancer as the first point of contact between itself and the workload flowing in.

    Beware of:

    • Though this is a highly scalable model, it does introduce risks related to data currency across all databases.
    • In case master database writes are frequent, it could become a bottleneck for the entire system.

    Productization Through Containers

    This involves breaking up the system into specific functions and services and bundling their business rules/databases into deployable containers.

    Beware of:

    • Too many containers introduce the need to orchestrate the distributed architecture that results from a service-oriented approach.

    Start a scalability overview with a look at the database(s)

    To know where to go, you must know where you are. Before introducing architectural changes to database designs, use the right metrics to get an insight into the root cause of the problem(s).

    In a nutshell, the purpose of scaling solutions is to have the technology stack do less work for the most requested services/features or be able to effectively distribute the additional workload across multiple resources.

    For databases, to ensure this happens, consider these techniques:

    • Reuse data through caching on the server and/or the client. This eliminates the need for looking up already accessed data. Examples of caching are:
      • In-memory caching of data
      • Caching database queries
    • Implement good data retrieval techniques like indexes.
    • Divide labor at the database level.
      • Through setting up primary-secondary distribution of data. In such a setup, the primary node is involved in writing data to itself and passes on requests to secondary nodes for fulfillment.
      • Through setting up database shards (either horizontally or vertically).
        • In a horizontal shard, a data table is broken into smaller pieces with the same data model but unique data in it. The sum total of the shared databases contains all the data in the primary data table.
        • In a vertical shard, a data table is broken into smaller pieces, but each piece may have a subset of the data columns. The data’s corresponding columns are put into the table where the column resides.

    Info-Tech Insight

    A non-scalable architecture has more than just technology-related ramifications. Hoping that load balancers or cloud services will manage scalability-related issues is bound to have economic impacts as well.

    Sidebar

    Caching Options

    CSA PRINCIPLE 5 applies to any decision that supports system scalability.
    “X-ilities Over Features”

    Database Caching
    Fetches and stores result of database queries in memory. Subsequent requests to the database for the same queries will investigate the cache before making a connection with the database.
    Tools like Memcached or Redis are used for database caching.

    Precompute Database Caching
    Unlike database caching, this style of caching precomputes results of queries that are popular and frequently used. For example, a database trigger could execute several predetermined queries and have them ready for consumption. The precomputed results may be stored in a database cache.

    Application Object Caching
    Stores computed results in a cache for later retrieval. For data sources, which are not changing frequently and are part of a computation output, application caching will remove the need to connect with a database.

    Proxy Caching
    Caches retrieved web pages on a proxy server and makes them available for the next time the page is requested.

    The intra- and inter-process communication of the systems middle tier can become a bottleneck

    To synchronize or not to synchronize?

    A synchronous request (doing one thing at a time) means that code execution will wait for the request to be responded to before continuing.

    • A synchronous request is a blocking event and until it is completed, all following requests will have to wait for getting their responses.
    • An increasing workload on a synchronous system may impact performance.
    • Synchronous interactions are less costly in terms of design, implementation, and maintenance.
    • Scaling options include:
    1. Vertical scale up
    2. Horizontal scale out of application servers behind a load balancer and a caching technique (to minimize data retrieval roundtrips)
    3. Horizonal scale out of database servers with data partitioning and/or data caching technique

    Use synchronous requests when…

    • Each request to a system sets the necessary precondition for a following request.
    • Data reliability is important, especially in real-time systems.
    • System flows are simple.
    • Tasks that are typically time consuming, such as I/O, data access, pre-loading of assets, are completed quickly.

    Asynchronous requests (doing many things at the same time) do not block the system they are targeting.

    • It is a “fire and forget” mechanism.
    • Execution on a server/processor is triggered by the request, however, additional technical components (callbacks) for checking the state of the execution must be designed and implemented.
    • Asynchronous interactions require additional time to be spent on implementation and testing.
    • With asynchronous interactions, there is no guarantee the request initiated any processing until the callbacks check the status of the executed thread.

    Use asynchronous requests when…

    • Tasks are independent in nature and don’t require inter-task communication.
    • Systems flows need to be efficient.
    • The system is using event-driven techniques for processing.
    • Many I/O tasks are involved.
    • The tasks are long running.

    Sidebar

    Other architectural tactics for inter-process communication

    STATELESS SERVICES VERSUS STATEFUL SERVICES
    • Does not require any additional data, apart from the bits sent through with the request.
    • Without implementing a caching solution, it is impossible to access the previous data trail for a transaction session.
    • In addition to the data sent through with the request, require previous data sent to complete processing.
    • Requires server memory to store the additional state data. With increasing workloads, this could start impacting the server’s performance.
    It is generally accepted that stateless services are better for system scalability, especially if vertical scaling is costly and there is expectation that workloads will increase.
    MICROSERVICES VERSUS SERVERLESS FUNCTIONS
    • Services are designed as small units of code with a single responsibility and are available on demand.
    • A microservices architecture is easily scaled horizontally by adding a load balancer and a caching mechanism.
    • Like microservices, these are small pieces of code designed to fulfill a single purpose.
    • Are provided only through cloud vendors, and therefore, there is no need to worry about provisioning of infrastructure as needs increase.
    • Stateless by design but the life cycle of a serverless function is vendor controlled.
    Serverless function is an evolving technology and tightly controlled by the vendor. As and when vendors make changes to their serverless products, your own systems may need to be modified to make the best use of these upgrades.

    A team that does not measure their system’s scalability is a team bound to get a 5xx HTTP response code

    A critical aspect of any system is its ability to monitor and report on its operational outcomes.

    • Using the principle of continuous testing, every time an architectural change is introduced, a thorough load and stress testing cycle should be executed.
    • Effective logging and use of insightful metrics helps system design teams make data-driven decisions.
    • Using principle of site reliability engineering and predictive analytics, teams can be prepared for any unplanned exaggerated stimulus on the system and proactively set up remedial steps.

    Any system, however well architected, will break one day. Strategically place kill-switches to counter any failures and thoroughly test their functioning before releasing to production.

    • Using Principles 2 and 9 of the CSA, (include kill-switches and architect for x-ilities over features), introduce tactics at the code and higher levels that can be used to put a system in its previous best state in case of failure.
    • Examples of such tactics are:
      • Feature flags for turning on/off code modules that impact x-ilities.
      • Implement design patterns like throttling, autoscaling, and circuit breaking.
      • Writing extensive log messages that bubble up as exceptions/error handling from the code base. *Logging can be a performance drag. Use with caution as even logging code is still code that needs CPU and data storage.

    Performance is a system’s ability to satisfy time-bound expectations

    Performance can also be defined as the ability for a system to achieve its timing requirements, using available resources, under expected full-peak load:

    (International Organization for Standardization, 2011)

    • Performance and scalability are two peas in a pod. They are related to each other but are distinct attributes. Where scalability refers to the ability of a system to initiate multiple simultaneous processes, performance is the system’s ability to complete the processes within a mandated average time period.
    • Degrading performance is one of the first red flags about a system’s ability to scale up to workload demands.
    • Mitigation tactics for performance are very similar to the tactics for scalability.

    System performance needs to be monitored and measured consistently.

    Measurement Category 1: System performance in terms of end-user experience during different load scenarios.

    • Response time/latency: Length of time it takes for an interaction with the system to complete.
    • Turnaround time: Time taken to complete a batch of tasks.
    • Throughput: Amount of workload a system is capable of handling in a unit time period.

    Measurement Category 2: System performance in terms of load managed by computational resources.

    • Resource utilization: The average usage of a resource (like CPU) over a period. Peaks and troughs indicate excess vs. normal load times.
    • Number of concurrent connections: Simultaneous user requests that a resource like a server can successfully deal with at once.
    • Queue time: The turnaround time for a specific interaction or category of interactions to complete.

    Architectural tactics for performance management are the same as those used for system scalability

    Application Layer

    • Using a balanced approach that combines CSA Principle 7 (Good architecture comes in small packages) and Principle 10 (Architect for products, not projects), a microservices architecture based on domain-driven design helps process performance. Microservices use lightweight HTTP protocols and have loose coupling, adding a degree of resilience to the system as well. *An overly-engineered microservices architecture can become an orchestration challenge.
    • The code design must follow standards that support performance. Example of standards is SOLID*.
    • Serverless architectures can run application code from anywhere – for example, from edge servers close to an end user – thereby reducing latency.

    Database Layer

    • Using the right database technologies for persistence. Relational databases have implicit performance bottlenecks (which get exaggerated as data size grows along with indexes), and document store database technologies (key-value or wide-column) can improve performance in high-read environments.
    • Data sources, especially those that are frequently accessed, should ideally be located close to the application servers. Hybrid infrastructures (cloud and on premises mixed) can lead to latency when a cloud-application is accessing on-premises data.
    • Using a data partitioning strategy, especially in a domain-driven design architecture, can improve the performance of a system.

    Performance modeling and continuous testing makes the SRE a happy engineer

    Performance modeling and testing helps architecture teams predict performance risks as the solution is being developed.
    (CSA Principle 12: Test the solution architecture like you test your solution’s features)

    Create a model for your system’s hypothetical performance testing by breaking an end-to-end process or use case into its components. *Use the SIPOC framework for decomposition.

    This image contains an example of modeled performance, showing the latency in the data flowing from different data sources to the processing of the data.

    In the hypothetical example of modeled performance above:

    • The longest period of latency is 15ms.
    • The processing of data takes 30ms, while the baseline was established at 25ms.
    • Average latency in sending back user responses is 21ms – 13ms slower than expected.

    The model helps architects:

    • Get evidence for their assumptions
    • Quantitatively isolate bottlenecks at a granular level

    Model the performance flow once but test it periodically

    Performance testing measures the performance of a software system under normal and abnormal loads.

    Performance testing process should be fully integrated with software development activities and as automated as possible. In a fast-moving Agile environment, teams should attempt to:

    • Shift-left performance testing activities.
    • Use performance testing to pinpoint performance bottlenecks.
    • Take corrective action, as quickly as possible.

    Performance testing techniques

    • Normal load testing: Verifies the system’s behavior under the expected normal load to ensure that its performance requirements are met. Load testing can be used to measure response time, responsiveness, turnaround time, and throughput.
    • Expected maximum load testing: Like the normal load testing process, ensures system meets its performance requirements under expected maximum load.
    • Stress testing: Evaluates system behavior when processing loads beyond the expected maximum.

    *In a real production scenario, a combination of these tests are executed on a regular basis to monitor the performance of the system over a given period.

    3.1-3.2 Discuss and document initial decisions made for architecture scalability and performance

    1. Use the outcomes from either or both Phases 1.3 and 1.4.
    • For each value stream component, list the architecture decisions taken to ensure scalability and performance at client-facing and/or business-rule layers.

    Download the Solution Architecture Template for documenting data architecture decisions.

    Input

    • Output From Phase 1.3 and/or From Phase 1.4

    Output

    • Initial Set of Design Decisions Made for System Scalability and Performance

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Example: Architecture decisions for scalability and performance

    Value Stream Component Design Decision for User Interface Layer Design Decisions for Middle Processing Layer
    Loan Application Scalability: N/A
    Resilience: Include circuit breaker design in both mobile app and responsive websites.
    Performance: Cache data client.
    Scalability: Scale vertically (up) since loan application processing is very compute intensive.
    Resilience: Set up fail-over replica.
    Performance: Keep servers in the same geo-area.
    Disbursement of Funds *Does not have a user interface Scalability: Scale horizontal when traffic reaches X requests/second.
    Resilience: Create microservices using domain-driven design; include circuit breakers.
    Performance: Set up application cache; synchronous communication since order of data input is important.
    …. …. ….

    3.3 Combine the different architecture design decisions into a unified solution architecture

    Download the Solution Architecture Template for documenting data architecture decisions.

    Input

    • Output From Phase 1.3 and/or From Phase 1.4
    • Output From Phase 2.1
    • Output From Phase 2.2
    • Output From 3.1 and 3.2

    Output

    • List of Design Decisions for the Solution

    Materials

    • Whiteboard/Flip Charts

    Participants

    • Business Architect
    • Application Architect
    • Integration Architect
    • Database Architect
    • Infrastructure Architect

    Putting it all together is the bow that finally ties this gift

    This blueprint covered the domains tagged with the yellow star.

    This image contains a screenshot of the solution architecture framework found earlier in this blueprint, with stars next to Data Architecture, Security, Performance, and Stability.

    TRADEOFF ALERT

    The right design decision is never the same for all perspectives. Along with varying opinions, comes the “at odds with each other set” of needs (scalability vs. performance, or access vs. security).

    An evidence-based decision-making approach using a domain-driven design strategy is a good mix of techniques for creating the best (right?) solution architecture.

    This image contains a screenshot of a table that summarizes the themes discussed in this blueprint.

    Summary of accomplishment

    • Gained understanding and clarification of the stakeholder objectives placed on your application architecture.
    • Completed detailed use cases and persona-driven scenario analysis and their architectural needs through SRME.
    • Created a set of design decisions for data, security, scalability, and performance.
    • Merged the different architecture domains dealt with in this blueprint to create a holistic view.

    Bibliography

    Ambysoft Inc. “UML 2 Sequence Diagrams: An Agile Introduction.” Agile Modeling, n.d. Web.

    Bass, Len, Paul Clements, and Rick Kazman. Software Architecture in Practices: Third Edition. Pearson Education, Inc. 2003.

    Eeles, Peter. “The benefits of software architecting.” IBM: developerWorks, 15 May 2006. Web.

    Flexera 2020 State of the Cloud Report. Flexera, 2020. Web. 19 October 2021.

    Furdik, Karol, Gabriel Lukac, Tomas Sabol, and Peter Kostelnik. “The Network Architecture Designed for an Adaptable IoT-based Smart Office Solution.” International Journal of Computer Networks and Communications Security, November 2013. Web.

    Ganzinger, Matthias, and Petra Knaup. “Requirements for data integration platforms in biomedical research networks: a reference model.” PeerJ, 5 February 2015. (https://peerj.com/articles/755/).

    Garlan, David, and Mary Shaw. An Introduction to Software Architecture. CMU-CS-94-166, School of Computer Science Carnegie Mellon University, January 1994.

    Gupta, Arun. “Microservice Design Patterns.” Java Code Geeks, 14 April 2015. Web.

    How, Matt. The Modern Data Warehouse in Azure. O’Reilly, 2020.

    ISO/IEC 17788:2014: Information technology – Cloud computing, International Organization for Standardization, October 2014. Web.

    ISO/IEC 18384-1:2016: Information technology – Reference Architecture for Service Oriented Architecture (SOA RA), International Organization for Standardization, June 2016. Web.

    ISO/IEC 25010:2011(en) Systems and software engineering — Systems and software Quality Requirements and Evaluation (SQuaRE) — System and software quality models. International Organization for Standardization, March 2011. Web.

    Kazman, R., M. Klein, and P. Clements. ATAM: Method for Architecture Evaluation. S Carnegie Mellon University, August 2000. Web.

    Microsoft Developer Network. “Chapter 16: Quality Attributes.” Microsoft Application Architecture Guide. 2nd Ed., 13 January 2010. Web.

    Microsoft Developer Network. “Chapter 2: Key Principles of Software Architecture.” Microsoft Application Architecture Guide. 2nd Ed., 13 January 2010. Web.

    Microsoft Developer Network. “Chapter 3: Architectural Patterns and Styles.” Microsoft Application Architecture Guide. 2nd Ed., 14 January 2010. Web.

    Microsoft Developer Network. “Chapter 5: Layered Application Guidelines.” Microsoft Application Architecture Guide. 2nd Ed., 13 January 2010. Web.

    Mirakhorli, Mehdi. “Common Architecture Weakness Enumeration (CAWE).” IEEE Software, 2016. Web.

    Moore, G. A. Crossing the Chasm, 3rd Edition: Marketing and Selling Disruptive Products to Mainstream Customers (Collins Business Essentials) (3rd ed.). Harper Business, 2014.

    OASIS. “Oasis SOA Reference Model (SOA RM) TC.” OASIS Open, n.d. Web.

    Soni, Mukesh. “Defect Prevention: Reducing Costs and Enhancing Quality.” iSixSigma, n.d. Web.

    The Open Group. TOGAF 8.1.1 Online, Part IV: Resource Base, Developing Architecture Views. TOGAF, 2006. Web.

    The Open Group. Welcome to the TOGAF® Standard, Version 9.2, a standard of The Open Group. TOGAF, 2018. Web.

    Watts, S. “The importance of solid design principles.” BMC Blogs, 15 June 2020. 19 October 2021.

    Young, Charles. “Hexagonal Architecture–The Great Reconciler?” Geeks with Blogs, 20 Dec 2014. Web.

    APPENDIX A

    Techniques to enhance application architecture.

    Consider the numerous solutions to address architecture issues or how they will impact your application architecture

    Many solutions exist for improving the layers of the application stack that may address architecture issues or impact your current architecture. Solutions range from capability changes to full stack replacement.

    Method Description Potential Benefits Risks Related Blueprints
    Business Capabilities:
    Enablement and enhancement
    • Introduce new business capabilities by leveraging unused application functionalities or consolidate redundant business capabilities.
    • Increase value delivery to stakeholders.
    • Lower IT costs through elimination of applications.
    • Increased use of an application could overload current infrastructure.
    • IT cannot authorize business capability changes.
    Use Info-Tech’s Document Your Business Architecture blueprint to gain better understanding of business and IT alignment.
    Removal
    • Remove existing business capabilities that don’t contribute value to the business.
    • Lower operational costs through elimination of unused and irrelevant capabilities.
    • Business capabilities may be seen as relevant or critical by different stakeholder groups.
    • IT cannot authorize business capability changes.
    Use Info-Tech’s Build an Application Rationalization Framework to rationalize your application portfolio.
    Business Process:
    Process integration and consolidation
    • Combine multiple business processes into a single process.
    • Improved utilization of applications in each step of the process.
    • Reduce business costs through efficient business processes.
    • Minimize number of applications required to execute a single process.
    • Significant business disruption if an application goes down and is the primary support for business processes.
    • Organizational pushback if process integration involves multiple business groups.
    Business Process (continued):
    Process automation
    • Automate manual business processing tasks.
    • Reduce manual processing errors.
    • Improve speed of delivery.
    • Significant costs to implement automation.
    • Automation payoffs are not immediate.
    Lean business processes
    • Eliminate redundant steps.
    • Streamline existing processes by focusing on value-driven steps.
    • Improve efficiency of business process through removal of wasteful steps.
    • Increase value delivered at the end of the process.
    • Stakeholder pushback from consistently changing processes.
    • Investment from business is required to fit documentation to the process.
    Outsource the process
    • Outsource a portion of or the entire business process to a third party.
    • Leverage unavailable resources and skills to execute the business process.
    • Loss of control over process.
    • Can be costly to bring the process back into the business if desired in the future.
    Business Process (continued):
    Standardization
    • Implement standards for business processes to improve uniformity and reusability.
    • Consistently apply the same process across multiple business units.
    • Transparency of what is expected from the process.
    • Improve predictability of process execution.
    • Process bottlenecks may occur if a single group is required to sign off on deliverables.
    • Lack of enforcement and maintenance of standards can lead to chaos if left unchecked.
    User Interface:
    Improve user experience (UX)
    • Eliminate end-user emotional, mechanical, and functional friction by improving the experience of using the application.
    • UX encompasses both the interface and the user’s behavior.
    • Increase satisfaction and adoption rate from end users.
    • Increase brand awareness and user retention.
    • UX optimizations are only focused on a few user personas.
    • Current development processes do not accommodate UX assessments
    Code:
    Update coding language
    Translate legacy code into modern coding language.
    • Coding errors in modern languages can have lesser impact on the business processes they support.
    • Modern languages tend to have larger pools of coders to hire.
    • Increase availability of tools to support modern languages.
    • Coding language changes can create incompatibilities with existing infrastructure.
    • Existing coding translation tools do not offer 100% guarantee of legacy function retention.
    Code (continued):
    Open source code
    • Download pre-built code freely available in open source communities.
    • Code is rapidly evolving in the community to meet current business needs.
    • Avoid vendor lock-in from proprietary software
    • Community rules may require divulgence of work done with open source code.
    • Support is primarily provided through community, which may not address specific concerns.
    Update the development toolchain
    • Acquire new or optimize development tools with increased testing, build, and deployment capabilities.
    • Increase developer productivity.
    • Increase speed of delivery and test coverage with automation.
    • Drastic IT overhauls required to implement new tools such as code conversion, data migration, and development process revisions.
    Update source code management
    • Optimize source code management to improve coding governance, versioning, and development collaboration.
    • Ability to easily roll back to previous build versions and promote code to other environments.
    • Enable multi-user development capabilities.
    • Improve conflict management.
    • Some source code management tools cannot support legacy code.
    • Source code management tools may be incompatible with existing development toolchain.
    Data:
    Outsource extraction
    • Outsource your data analysis and extraction to a third party.
    • Lower costs to extract and mine data.
    • Leverage unavailable resources and skills to translate mined data to a usable form.
    • Data security risks associated with off-location storage.
    • Data access and control risks associated with a third party.
    Update data structure
    • Update your data elements, types (e.g. transactional, big data), and formats (e.g. table columns).
    • Standardize on a common data definition throughout the entire organization.
    • Ease data cleansing, mining, analysis, extraction, and management activities.
    • New data structures may be incompatible with other applications.
    • Implementing data management improvements may be costly and difficult to acquire stakeholder buy-in.
    Update data mining and data warehousing tools
    • Optimize how data is extracted and stored.
    • Increase the speed and reliability of the data mined.
    • Perform complex analysis with modern data mining and data warehousing tools.
    • Data warehouses are regularly updated with the latest data.
    • Updating data mining and warehousing tools may create incompatibilities with existing infrastructure and data sets.
    Integration:
    Move from point-to-point to enterprise service bus (ESB)
    • Change your application integration approach from point-to-point to an ESB.
    • Increase the scalability of enterprise services by exposing applications to a centralized middleware.
    • Reduce the number of integration tests to complete with an ESB.
    • Single point of failure can cripple the entire system.
    • Security threats arising from centralized communication node.
    Leverage API integration
    • Leverage application programming interfaces (APIs) to integrate applications.
    • Quicker and more frequent transfers of lightweight data compared to extract, load, transfer (ETL) practices.
    • Increase integration opportunities with other modern applications and infrastructure (including mobile devices).
    • APIs are not as efficient as ETL when handling large data sets.
    • Changing APIs can break compatibility between applications if not versioned properly.

    Data Quality

    • Buy Link or Shortcode: {j2store}19|cart{/j2store}
    • Related Products: {j2store}19|crosssells{/j2store}
    • Teaser Video: Visit Website
    • Teaser Video Title: Big data after pandemic
    • member rating overall impact (scale of 10): 8.3/10
    • member rating average dollars saved: $5,100
    • member rating average days saved: 8
    • Parent Category Name: Data and Business Intelligence
    • Parent Category Link: /data-and-business-intelligence
    Restore trust in your data by aligning your data management approach to the business strategy

    Create and Implement an IoT Strategy

    • Buy Link or Shortcode: {j2store}57|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Disruptive & Emerging Technologies
    • Parent Category Link: /disruptive-emerging-technologies

    While the Internet of Things (IoT) or smart devices have the potential to transform businesses, they have to be implemented strategically to drive value. The business often engages directly with vendors, and many IoT solutions are implemented as point solutions with IT being brought in very late in the process.

    This leads to challenges with integration, communication, and data aggregation and storage. IT is often also left grappling with many new devices that need to be inventoried, added to lifecycle management practices, and secured.

    Unlock the true potential of IoT with early IT involvement

    As IoT solutions become more common, IT leaders must work closely with business stakeholders early in the process to ensure that IoT solutions make the most of opportunities and mitigate risks.

    1. Ensure that IoT solutions meet business needs: Assess IoT solutions to ensure that they meet business requirements and align with business strategy.
    2. Make integration and management smooth: Build and execute plans so IoT devices integrate with existing infrastructure and multiple devices can be managed efficiently.
    3. Ensure privacy and security: IoT solutions should meet clearly outlined privacy and security requirements and comply with regulations such as GDPR and CCPA.
    4. Collect and store data systematically: Manage what data will be collected and aggregated and how it will be stored so that the business can recognize value from the data with minimal risk.

    Create and Implement an IoT Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create and Implement an IoT Strategy Deck – A framework to assess and onboard IoT devices into your environment.

    The storyboard will help to create a steering committee and a playbook to quickly assess IoT ideas to determine the best way to support these ideas, test them in Proof of concepts, when appropriate, and give the business the confidence they need to get the right solution for the job and to know that IT can support them long term.

    • Create and Implement an IoT Strategy – Phases 1-3

    2. Steering Committee Charter Template – Improve governance starting with a steering committee charter to help you clearly define the role of the steering committee to improve outcomes.

    Create a steering committee to improve success of IoT implementations.

    • IoT Steering Committee Charter Template

    3. IoT Solution Playbook – Create an IoT playbook to define a framework to quickly assess new solutions and determine the best time and method for onboarding into your operational environment.

    Create a framework to quickly evaluate IoT solutions to mitigate risks and increase success.

    • IoT Solution Playbook

    Infographic

    Further reading

    Create and Implement an IoT Strategy

    Gain control of your IoT environment

    Create and Implement an IoT Strategy

    Gain control of your IoT environment

    EXECUTIVE BRIEF

    Table of Contents

    Page Contents Page Contents
    4 Analyst Perspective 27 Phase 2: Define the intake & assessment process
    5 Executive Summary 29 Define requirements for requesting new IoT solutions
    7 Common Obstacles 32 Define procedures for reviewing proposals and projects – BA/BRM
    8 Framework 38 Define criteria for assessing proposals and projects – data specialists
    9 Insight Summary 43 Define criteria for assessing proposals & projects – Privacy & Security
    10 Blueprint deliverables 47 Define criteria for assessing proposals & projects – Infrastructure & Operations
    11 Blueprint benefits 48 Define service objectives & evaluation process
    13 Measure the value of IoT 49 Phase 3: Prepare for a proof of value
    15 Guided Implementation 58 Create a template for designing a proof of value
    16 Phase 1: Define your governance process 59 Communications
    21 Define the committee’s roles & responsibilities 60 Research contributors and experts
    23 Define the IoT steering committee’s vision statement and mandate 61 Related InfoTech Research
    26 Define procedures for reviewing proposals and projects

    Analyst perspective

    IoT is an extremely efficient automated data collection system which produces millions of pieces of data. Many organizations will purchase point solutions to help with their primary business function to increase efficiency, increase profitability, and most importantly provide scalable services that cannot exist without automated data collection and analytical tools.

    Most of the solutions available are designed to perform a specific function within the parameters of the devices and applications designed by vendors. As these specific use cases proliferate within any organization, the data collected can end up housed in many places, owned by each specific business unit and used only for the originally designed purpose. Imagine though, if you could take the health information of many patients, anonymize it, and compare overall health of specific regions, rather than focusing only on the patient record as a correlated point; or many data points within cities to look at pedestrian, bike, and vehicle traffic to better plan infrastructure changes, improve city plans, and monitor pollution, then compared to other cities for additional modeling.

    In order to make these dramatic shifts to using many IoT solutions, it’s time to look at creating an IoT strategy that will ensure all systems meet strategic goals and will enable disparate data to be aggregated for greater insights. The act of aggregation of systems and data will require additional scrutiny to mitigate the potential perils for privacy, management, security, and auditability

    The strategy identifies who stewards use of the data, who manages devices, and how IT enables broader use of this technology. But with the increased volume of devices and data, operational efficiency as part of the strategy will also be critical to success.

    This project takes you through the process of defining vision and governance, creating a process for evaluating proposed solutions for proof of value, and implementing operational effectiveness.

    Photo of Sandi Conrad, Principal Research Director, Info-Tech Research Group.

    Sandi Conrad
    Principal Research Director
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    The business needs to move quickly to adopt new ways to collect and analyze data or automate actions. IoT may be the right answer, but it can be complex and create new challenges for IT teams.

    Many of these solutions are implemented by vendors as point solutions, but more organizations are recognizing they need to bring the data in-house to start driving insights.

    As IoT solutions become more prolific, the need to get more involved in securing and managing these solutions has become evident.

    Common Obstacles

    The business is often engaging directly with the vendors to better understand how they can benefit from these solutions, and IT is often brought in when the solution is ready to go live.

    When IT isn’t involved early, there may be challenges around integrations, communications, and getting access to data.

    Management becomes challenging as many devices are suddenly entering the environment, which need to be inventoried, added to lifecycle management practices, and secured.

    Info-Tech’s Approach

    Info-Tech’s approach starts with assessing the proposed solutions to:

    • Ensure they will meet the business need.
    • Understand data structure for integration to central data store.
    • Ensure privacy and security needs can be met.
    • Determine effort and technical requirements for integration into the infrastructure and appropriate onboarding into operations.

    Early intervention will improve results. IoT is one of the biggest challenges for IT departments to manage today. The large volume of devices and lack of insight into vendor solutions is making it significantly harder to plan for upgrades and contract renewals, and to guarantee security protocols are being met. Create a multistep onboarding process, starting with an initial assessment process to increase success for the business, then look to derive additional benefits to the business and mitigate risks.

    Your challenge

    Scaling up and out from an IoT point solution is complicated and requires collaboration from stakeholders that may not have worked well together before
    • Point solutions may be installed and configured with support outsourced to vendors, where integrations may be light or non-existent.
    • Each point solution will be owned by the business, with data used for a specific purpose, and may only require infrastructure support from the internal IT department.
    • Operational needs must be met to protect the business’ investment, and without involving IT early, agreements may be signed that don’t meet long-term goals of high value at reasonable prices.
    • To fully realize value from multiple disparate systems, a cohesive strategy to bring together data will be required, but with that comes a need to improve technology, determine data ownership, and improve oversight with strengthened security, privacy, and communications.
    • Where IoT is becoming a major source of data, taking a piecemeal approach will no longer be enough to be successful.

    IoT solutions may be chosen by the business, but to be successful and meet their requirements, a partnership with IT will ensure better communications with the service provider for a less stressful implementation with governance over security needs and protection of the organization’s data, and it will ensure that continual value is enabled through effective operations.

    Pie chart titled 'IoT project success' with '12% Fully successful', '30% Mostly successful', '40% Mostly unsuccessful', and 'Not at all successful'.
    (Source: Beecham Research qtd. in Software AG)

    Common obstacles

    These barriers make IoT challenging to implement for many organizations:
    • Solutions managed outside of IT, whether through an operational technology team or an outsourced vender, will require a comprehensive approach that encourages collaboration, common understandings of risk, and the ability to embrace change.
    • Technical expertise required will be broad and deep for a multi-solution implementation. Many types of devices, with varied connections and communications methods, will need to be architected with flexibility to accommodate changing technology and scalability needs.
    • Understanding the myriad options available and where it makes sense to deploy cutting-edge vs. proven technologies, as well as edge computing and digital twins.
    • External consultants specializing in IoT may need to be engaged to make these complex solutions successful, and they also need to be skilled in facilitating discussions within teams to bring them to a common understanding.
    • Analysis skills and a data strategy will be key to successfully correlating data from multiple sources, and AI will be key to making sense of vast amounts of data available and be able to use it for predictive work. According to the Microsoft IoT Signals report of October 2020, “79% of organizations adopt AI as part of their IoT solution, and those who do perceive IoT to be more critical to their company’s success (95% vs. 82%) and are more satisfied with IoT (96% vs. 87%).“
    Pie chart with two tiers titled 'Challenges to using IT'. The inner circle are challenge categories like 'Security', 'Lack of budget/staff', and the outer circle are the more specific challenges within them, such as 'Concerned about consumer privacy' and 'No human resources to implement & manage'.
    (Source: Microsoft IoT Signals, Edition 2, October 2020 n=3,000)

    Internet of Things Framework

    Interoperability of multiple IoT systems and data will be required to maximize value.

    GOVERNANCE

    What should I build? What are my concerns?
    Where should I build it? Why does it need to be built?

    DATA MODEL ——› BUSINESS OPERATING MODEL
    Data quality
    Metadata
    Persistence
    Lifecycle
    Sales, marketing
    Product manufacturing
    Service delivery
    Operations

    |—›

    BUSINESS USE CASE

    ‹—|
    Customer facing Internal facing ROI
    ˆ
    |
    ETHICS
    Deliberate misuse
    Unintentional consequences
    Right to informed consent
    Active vs. passive consent
    Bias
    Profit vs. common good
    Acceptable/fair use
    Responsibility assignment
    Autonomous action
    Transparency
    Vendor ethical implications
    ˆ
    |
    TECHNICAL OPERATIONAL MODEL
    Personal data
    Customer data
    Non-customer data
    Public data
    Third-party business data
    Data rights/proprietary data
    Identification
    Vendor data
    Profiling (Sharing/linkage of data sets)

    CONTROLS

    How do I operate and maintain it?

    1. SECURITY
      • Risk identification and assessment
      • Threat modeling – ineffective because of scale
      • Dumb, cheap endpoints without users
      • Massive attack surface
      • Data/system availability
      • Physical access to devices
      • Response to anonymized individuals
    2. COMPLIANCE
      • Internal
      • External
        NIST, SOC, ISO
        Profession/industry
      • Ethics
      • Regulatory
        PII, GDPR, PIPEDA
        Audit process
    1. OPERATIONAL STANDARDS
      • Industry best practices
      • Open standards vs. proprietary ones
      • Standardization
      • Automation
      • Vendor management
    2. TECHNICAL OPERATIONAL MODEL
      • Platforms
      • Insourcing/outsourcing
      • Acquisition
      • Asset management
      • Patching
      • Data protection
      • Source image control
      • Software development lifecycle
      • Vendor management
      • Disposition/disposal

    BRIDGING THE PHYSICAL WORLD AND THE VIRTUAL WORLD

    How should it be built?

    Diagram with 'Physical World' 'Internet of Things Devices' on the left, connected to 'Virtual World' 'Central Compute (Cloud/Data Center)', 'Edge Computing', and 'Business Systems and Applications' via 'Data - data-verified= Data Normalization' from physical to virtual and 'Instructions' from virtual to physical.">

    Insight summary

    Real value to the business will come from insights derived from data

    Many point solutions will solve many business issues and produce many data sets. Ensure your strategy includes plans on how to leverage data to further your organizational goals. A data specialist will make a significant difference in helping you determine how best to aggregate and analyze data to meet those needs.

    Provide the right level of oversight to help the business adopt IoT

    Regardless of who is initiating the request or installing the solution, it’s critical to have a framework that protects the organization and their data and a plan for managing the devices.

    The business doesn’t always know what questions to ask, so it’s important for IT to enable them if moving to a business-led innovation model, and it’s critical to helping them achieve business value early.

    Do a pre-implementation assessment to engage early and at the right level

    Many IoT solutions are business- and vendor-led and are hosted outside of the organization or managed inside the business unit.

    Having IT engage early allows the business to determine what level of support is appropriate for them, allows IT to ensure data integrity, and allows IT to ensure that security, privacy, and long-term operational needs are managed appropriately.

    Blueprint deliverables

    IoT Steering Committee Charter

    Create a steering committee to improve success of IoT implementations

    Sample of the IoT Steering Committee Charter.

    IoT Solution Playbook

    Create a framework to quickly evaluate IoT solutions to mitigate risks and increase success

    Sample of the IoT Solution Playbook.

    Blueprint benefits

    IT Benefits

    • Aggregation of processes and data may have compelling implications for increasing effectiveness of the business, but this may also increase risk. A framework will help to drive value while putting in appropriate guardrails.
    • IoT use cases may be varied within many industries, and the use of many types of sensors and devices complicates management and maintenance. A common understanding of how devices will be tracked, managed, and maintained is imperative to IT securing their systems and data.
    • A pilot program to evaluate effectiveness and either reject or move forward with a plan to onboard the solution as quickly as possible will ensure quick time to value and enable immediate implementation of controls to meet operational and security requirements.

    Business Benefits

    • Aggregation of many disparate groups of data can provide new insights into the way an organization interacts with its clients and how clients are using products and services.
    • As organizations innovate and new IoT solutions are introduced to the environment, solutions need to be evaluated quickly to determine if they’re going to meet the business case and then determine what needs to be put in place for technology, process, and policy to ensure success.
    • As new solutions are introduced, anyone who may be impacted through this new data-collection process will need to be informed and feel secure in the way information is analyzed and managed. This project will provide the framework to quickly assess the risks and develop a communications plan.

    Evaluate digital transformation opportunities with these guiding principles for smart solutions

    Problem & opportunity focus
    • Search for real problems to solve, with visible improvement possibilities
    • Don’t choose technology for technology’s sake
    • Keep an eye to the future
    • Strategic foresight
    Piece by piece
    • Avoid the “Big Bang” approach
    • Test technologies in multiple conditions
    • Run inexpensive pilots
    • Increase flexibility
    • Technology ecosystem
    User buy-in
    • Collaborate with the community
    • Gain and sustain support
    • Increase uptake of city technology
    • Crowdsource community ideas
    Recommendations:
    Focus on real problems • Be a fast follower • Build a technology ecosystem

    Info-Tech Insight

    When looking for a quick win, consider customer journey mapping exercises to find out what it takes to do the work today, for example, map the journey to apply for a building permit, renew a license, or register a patient.

    Measure the value of IoT

    There is a broad range of solutions for IoT all designed to collect information and execute actions in a way designed to increase profitability and/or improve services. McKinsey estimates value created through interoperability will account for 40% to 60% of the potential value of IoT applications.

    Revenue Generating
    • Production increases and efficiency
    • Reliability as data quality increases
    • New product development opportunities through better understanding of how your products are used
    • New product offerings with automated data collection and analysis of aggregated data
    Improved outcomes
    • Improved wellness programs for employees and patients through proactive health management
      • Reduction in health care/insurance costs
      • Reduction in time off for illness
    • Reduction in human error
    • Improved safety – fewer equipment malfunction incidents
    • Sustainability – reduction in emissions
    Increased access to data, especially if aggregating with other data sources, will increase opportunities for data analysis leading to more informed decision making.
    Cost Avoidance
    • Cost efficiency – lower energy consumption, less waste, improved product consumption
    • Reliability – reduced downtime of equipment due to condition-based maintenance
    • Security – decrease in malware attacks
    Operational Metrics
    • # supported devices
    • % of projects using IoT
    • % of managed systems
    • % of increase in equipment optimization

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 4 to 8 calls over the course of 2 to 4 months.

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3
    Call #1: Determine steering committee members and mandates.

    Call #2: Define process for meeting and assessing requests.

    Call #3: Define the intake process.

    Call #4: Define the role of the BRM & assessment criteria.

    Call #5: Define the process to secure funding.

    Call #6: Define assessment requirements for other IT groups.

    Call #7: Define proof of value process.

    Create and Implement an IoT Strategy

    Phase 1

    Define your governance process

    Steering Committee

    1.1 Define the committee’s roles and responsibilities in the IoT Steering Committee Charter

    1.2 Define the IoT steering committee’s vision statement and mandates

    1.3 Define procedures for reviewing proposals and roles and responsibilities

    Intake Process

    2.1 Define requirements for requesting new IoT solutions

    2.2 Define procedures for reviewing proposals and projects – BA/BRM

    2.3 Define procedures for reviewing proposals and projects – Data specialists

    2.4 Define procedures for reviewing proposals and projects – Privacy & Security

    2.5 Define procedures for reviewing proposals and projects – Infrastructure & Operations

    2.6 Define service objectives and evaluation process

    Proof of Value

    3.1 Determine the criteria for running a proof of value

    3.2 Define the template and process for running a proof of value

    This phase will provide the following activities

    • Create the steering committee project charter
    If a steering committee exists, it may be appropriate to define IoT governance under their mandate. If a committee doesn’t already exist or their mandate will not include IoT, consider creating a committee to set standards and processes and quickly evaluate solutions for feasibility and implementation.

    Create an IoT steering committee to ensure value will be realized and operational needs will be met

    The goals of the steering committee should be:

    • To align IoT initiatives with organizational goals. 
    • To effectively evaluate, approve, and prioritize IoT initiatives.
    • To approve IoT strategy & evaluation criteria.
    • To reinforce and define risk evaluation criteria as they relate to IoT technology.
    • To review pilot results and confirm the value achievement of approved IoT initiatives.
    • To ensure the investment in IoT technology can be integrated and managed using defined parameters.

    Assemble the right team to ensure the success of your IoT ecosystem

    Business stakeholders will provide clarity for their strategy and provide input into how they envision IoT solutions furthering those goals and how they may gain relevant insights from secondary data.

    As IoT solutions move beyond their primary goals, it will be critical to evaluate the continually increasing data to mitigate risks of unintended consequences as new data sets converge. The security team will need to evaluate solutions and enforce standards.

    CDO and analysts will assess opportunities for data convergence to create new insights into how your services are used.

    Lightbulb with the word 'Value' surrounded by categories relative to the adjacent paragraph, 'Data Scientists', 'Security and Privacy', 'Business Leaders', 'IT Executives', 'Operations', and 'Infrastructure & Enterprise Architects'. IT stakeholders will be driving these projects forward and ensuring all necessary resources are available and funded.

    Operational plans will include asset management, monitoring, and support to meet functional goals and manage throughout the asset lifecycle.

    Each solution added to the environment will need to be chosen and architected to meet primary functions and secondary data collection.

    Identify IoT steering committee participants to ensure broad assessment capabilities are available

    • The committee should include team members experienced enough to provide an effective assessment of IoT projects, and to provide input and oversight regarding business value, privacy, security, operational support, infrastructure, and architectural support.
    • A data specialist will be critical for evaluating opportunities to expand use of data and ensure data can be effectively validated and aggregated. Additional oversight will be needed to review aggregated data to protect against the unintended consequences of having data combined and creating personas that will identify individuals.
    • Additional experts may be invited to committee meetings as appropriate, and ideas should be discussed and clarified with the business unit bringing the ideas forward or that may be impacted by solutions.
    • Invite appropriate IT and business leaders to the initial meeting to gain agreement and form the governance model.

    Determine responsibilities of the committee to gain consensus and universal understanding

    Icon of binoculars. STRATEGIC
    ALIGNMENT
    • Define the IoT vision in alignment with the organizational strategy and mission.
    • Define strategy, policies and communication requirements for IoT projects.
    • Assess and bring forward proposals to utilize IoT to further organizational strategy.
    Icon of a person walking up an ascending bar graph. VALUE
    DELIVERY
    • Define criteria for evaluating and prioritizing proposals and projects.
    • Validate the IoT proposals to ensure value drivers are understood and achievable.
    • Identify opportunities to combine data sets for secondary analysis and insights.
    Icon of a lightbulb. RISK
    OPTIMIZATION
    • Evaluate data and combined data sets to avoid unintended consequences.
    • Ensure security standards are adhered to when integrating new solutions.
    • Reinforce privacy regulations, policy, and communications requirements.
    Icon of an arrow in a bullseye. RESOURCE
    OPTIMIZATION
    • Identify and validate investment and resource requirements.
    • Evaluate technical requirements and capabilities.
    • Align IoT management requirements to operations goals within IT.
    Icon of a handshake. PERFORMANCE
    MANAGEMENT
    • Assess validity of pilot project plan, including success criteria.
    • Identify corner cases to assess functionality and potential risks beyond core features.
    • Monitor progress, evaluate results, and ensure organizational needs will be met.
    • Evaluate pilot to determine if it will be moved into full production, reworked, or rejected.

    1.1 Exercise:
    Define the committee’s roles & responsibilities in the IoT steering committee charter

    1-3 hours

    Input: Current policies and assessment tools for security and privacy, Current IT strategy for introducing new solutions and setting standards

    Output: List of roles and responsibilities, High-level discussion points

    Materials: Whiteboard/flip charts, Steering committee workbook

    Participants: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

    1. Identify and document core and auxiliary members of the committee, ensuring all important facets of the IoT environment can be assessed.
    2. Identify and document the committee chair.
    3. Gain consensus on responsibilities of the steering committee.

    Download the IoT Steering Committee Charter

    Define the vision statement for the IoT committee to clarify mandate and communicate to stakeholders

    The vision statement will define what you’re trying to achieve and how. You may have the statement already solidified, but if not, start with brainstorming several outcomes and narrow to less than 5 focus areas.

    A vision statement should be concise and should be in support of the overall IT strategy and organizational mission. The vision statement will be used as a high-level guide for defining and assessing proposed solutions and evaluating potential outcomes. It can be used as a limiter to quickly weed out ideas that don’t fit within the mandate, but it can also inspire new ideas.

    • Support innovation
    • Enable the business
    • Enable operations for continual value

    New York City has a broad plan for implementing IoT to meet several aspects of their overall strategy and subsequently their IT strategy. Their strategic plan includes several focus areas that will benefit from IoT:
    • A vibrant democracy
    • An inclusive economy
    • Thriving neighborhoods
    • Healthy lives
    • Equity and excellence in education
    • A livable climate
    • Efficient mobility
    • Modern infrastructure
    Their overall mission is: “OneNYC 2050 is a strategy to secure our city’s future against the challenges of today and tomorrow. With bold actions to confront our climate crisis, achieve equity, and strengthen our democracy, we are building a strong and fair city. Join us.”

    In order to accomplish this overall mission, they’ve created a specific IT vision statement: “Improve digital infrastructure to meet the needs of the 21st century.”

    This may seem broad, and it includes not just IoT, but also the need to upgrade infrastructure to be able to enable IoT as a tool to meet the needs to collect data, take action, and better understand how people move and live within the city. You can read more of their strategy at this
    link: http://onenyc.cityofnewyork.us/about/

    1.2 Exercise:
    Define the IoT steering committee’s vision statement and mandate

    1 hour

    Input: Organizational vision and IT strategy

    Output: Vision statement

    Materials: Whiteboard/flip charts, Steering committee workbook

    Participants: Steering committee, which may include: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

    1. Starting with the organizational mission statement, brainstorm areas of focus with the steering committee and narrow down the statement.
    2. Make sure it’s broad enough to encompass your goals, but succinct enough to allow you to identify projects that don’t meet the vision.
    3. Test with a few existing ideas.
    4. Document in your steering committee charter.

    Download the IoT Steering Committee Charter

    Use the COPIS methodology to define your project review process

    COPIS is a customer-focused methodology used to focus on the areas around the process, ensuring a holistic view starting with who the customer is and what they need, then building out the process and defining what will be required to be successful and who will be involved in fulfilling the work.

    Customer

    • Executive leadership
    • Business leaders

    Outputs

    • Risk assessment
    • Approvals to proceed
    • Pilot plan
    • Assessment to approve for production or reject

    Process

    • Review proposals
    • Ask questions and discuss with proposer & committee
    • Review pilot & testing plan
    • Engage with IT Team to define requirements

    Inputs

    • Request form including:
    • New idea
    • Business value defined
    • Data collected
    • Initial risk assessment
    • Implementation plan
    • Definition of success

    Suppliers

    • IT operations team
    • Device and software vendors
    • IT leaders
    • Risk committee
    Agenda & process flow



    Determine where people will access request form Ending point
    Sequence of right-facing arrows labelled 'Agenda & process flow'. Text in each arrow from left to right reads 'Confirm attendees required are in attendance', 'Review open action items', 'Assess new items', 'Assess prioritization', 'Review metrics & pilots in progress', 'Decisions & recommendations'.

    Create a committee charter to ensure roles are clarified and mandates can be met

    The purpose of the committee is to quickly assess and protect organizational interests while furthering the needs of the business

    The committee needs to be seen as an enabler to the business, not as a gatekeeper, so it must be thorough but responsive.

    The charter should include:
    • The vision to ensure clarity of purpose.
    • IoT mandates to focus the committee on assessment criteria.
    • Roles, responsibilities, and assignments to engage the right people who will provide the kind of guidance needed to ensure success.
    • Procedures to make the best use of each committee member’s time.
    • Process flow to guide evaluations to avoid unnecessary delays while reducing organizational risks.
    Stock image of someone reading on a tablet.

    1.3 Exercise:
    Define procedures for reviewing proposals and projects

    2-3 hours

    Input: Schedules of committee members, Process documentation for evaluating new technology

    Output: Procedures for reviewing proposals, Reference documentation for evaluating proposals

    Materials: Whiteboard/flip charts, Steering committee workbook

    Participants: Steering committee, which may include: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

    1. Discuss as a group how often you will meet for reviews and project updates. Which roles will have veto rights on project approvals?
    2. Define the intake process and requirements for scheduling based on average lead time to get the group together and preview documentation.
    3. Identify where process documentation already exists to use for evaluation of proposals and projects, and what needs to be created to quickly move from evaluation to action phases.
    4. Define basic rules of engagement.
    5. Define process flow using COPIS methodology as a framework. Note the different stages that may be part of the intake flow. Some business partners may bring solutions to IT, and others may just have an idea that needs to be solutioned.

    Download the IoT Steering Committee Charter

    Create and Implement an IoT Strategy

    Phase 2

    Define the intake and assessment process

    Steering Committee

    1.1 Define the committee’s roles and responsibilities in the IoT Steering Committee Charter

    1.2 Define the IoT steering committee’s vision statement and mandates

    1.3 Define procedures for reviewing proposals and roles and responsibilities

    Intake Process

    2.1 Define requirements for requesting new IoT solutions

    2.2 Define procedures for reviewing proposals and projects – BA/BRM

    2.3 Define procedures for reviewing proposals and projects – Data specialists

    2.4 Define procedures for reviewing proposals and projects – Privacy & Security

    2.5 Define procedures for reviewing proposals and projects – Infrastructure & Operations

    2.6 Define service objectives and evaluation process

    Proof of Value

    3.1 Determine the criteria for running a proof of value

    3.2 Define the template and process for running a proof of value

    This phase will provide the following activities

    • Define requirements for requesting new IoT solutions
    • Define procedures for review proposals and projects
    • Define service objectives and evaluation process for reviewing proposals and projects

    Determine what information is necessary to start the intake process

    To encourage your business leaders to engage IT in evaluating and appropriately supporting the solution, start with an intake process that is simple and easily populated with business information.
    • Review intake forms from the PMO or build your own from the IoT Solution Playbook:
    • Start by asking for a clear picture of the solution. Ensure the requester can clearly articulate the business benefit to the solution, including what issues are being resolved and what success looks like.
    • Requesters may not be expected to seek out all relevant information to make the decision.
      • Consider providing a business analyst (BA) to assist with data gathering for further assessment and to launch the review process.
      • Review may require additional steps if it is not clear the proposed solution will perform as expected and could include conversations with the vendor or a determination that a full requirements-gathering process may need to be done.
    • Typically, a BA will launch the review process to have appropriate experts assess the feasibility of the solution; assess regulatory, privacy, and security concerns; and determine the level of involvement needed by IT and the project managers.
    • Have options for different starting points. Some requesters may be further along in their research as they know exactly what they want, while others will be early in the idea stage. Don’t discourage innovation by creating more work than they’re able to execute.

    Business goals and benefits are important to ensure the completed solution meets the intended purpose and enables appropriate collection, analysis, and use of data in the larger business context.

    Ongoing operational support and service need to be considered to ensure ongoing value, and adherence to security and privacy policies is critical.

    2.1 Exercise:
    Define requirements for requesting new IoT solutions

    1 hour

    Input: Business requirements for requesting IT solutions

    Output: Request form for business users, Section 1 of the IoT Solution Playbook

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Determine requirements for initiating an assessment.
      1. Will a business case be necessary to start, or can the assessment feed into the business case?
      2. How can you best access the work already done by the requester to not start over?
      3. Determine the right questions to understand how they will define success to ensure this solution will do what they need.
      4. Do you need a breakdown of the way they do the job today?
      5. What level of authorization needs to be on the request to move forward?
    3. Try to balance the effort of the requester against their role. Don’t expect them to investigate solutions beyond the business value.
    4. Provide them with a means to provide you any information they have gathered, especially if they have already spoken to vendors.

    Download the IoT Solution Playbook

    Define what role the BA or BRM will play to support the request process

    Identify questions that will need to be answered in order to assess if the solution will be fit for purpose, to help build out business cases, and to enable the appropriate assessments and engagement with project managers and technical teams.
    • Project sponsorship is key to moving the project ahead. Ensure the project sponsor and business owner will be in alignment on the solution and business needs.
    • Note any information that will help to prioritize this project among all other requests. This will feed into implementation timing and the project management needs, resourcing, and vendor engagement required.
    • Determine if a proof of value would be an asset. A proof of value can be time consuming, but it can mitigate the risks of large-scale failures.
    • Ask about data collection and data type, which will be a major part of the assessment for the data team and for security, privacy, infrastructure, and operational assessments.
    • Determine if any actions will need to be taken, which might include data transfer, notifications and alerts, or others. This may require additional discussions on actuators, RPA, data stores, and integrations.
    • Determine if any automation will be part of the solution, as this will help to inform future discussions on power, connectivity, security, and privacy.

    Download the blueprint Embed Business Relationship Management in IT if you need help to support the business in a more strategic manner.

    Info-Tech Insight

    Understanding the business issue more deeply can help the business analyst determine if the solution needs a review of business process as well as helping to build out the requirements well enough to improve chances of success.

    The BA should be able to determine initial workload and involvement of project managers and evaluators.

    Clearly articulate the business benefits to secure funding and resources

    If the business users need to build a business case, the information being collected will help to define the value, estimate costs, and evaluate risk

    IoT point solutions can be straightforward to articulate the business benefits as they will have very specific benefits which will likely fit into one of these categories:
    • Financial – to increase profitability or reduce costs through predictive maintenance and efficiency.
    • Business Development – innovation for new products, services, and methodologies
    • Improve specific outcomes – typically these will be industry specific, such as improved patient health care, reduced traffic congestion or use of city resources, improved billing, or fire prevention for utility companies.

    As you start to look at the bigger picture of how these different systems can bring together disparate data sets, the benefits will be harder to define, and the costs to implement this next level of data analysis can be daunting and expensive.

    This doesn’t necessitate a complete alignment of data collection purposes; there may be benefits to improving operations in secondary areas such as updating HVAC systems to reduce energy costs in a hospital, though the updated systems may also include sensors to monitor air quality and further improve patient outcomes.

    In these cases, there may be future opportunities to use this data in unexpected ways, but even where there aren’t, applying the same standards for security, privacy, and operations should apply.

    Table titled 'Increasing productivity through efficiency and yield are the top benefits organizations expect to see from IoT implementations' with three columns, one for type of benefit (ie efficiency, yield, quality, etc), one for different IoT implementations and one for percent increase.
    (Microsoft IoT Signals Report 2020, n= 3,000 IT Professionals)

    2.2 Exercise – BA/BRM: Define procedures for reviewing proposals and projects

    1 hour

    Input: Process documentation for evaluating new technology, Business case requirements

    Output: Interview questions and assessment criteria for BA/BRM

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive(s), Senior data specialist, Senior business executive(s)

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Identify the questions that will need to be asked of the business to determine whether the request will be fit for purpose.
    3. Additional questions may help to:
      1. Identify project sponsors to determine if requirements are defined or need to be, and who will champion this project through to implementation.
      2. Identify what additional work will be needed for you to shepherd the project through the various stage gates.
      3. Identify any prioritization criteria including business-specific milestones and outcomes.
    4. Document when a formal business case needs to be created.

    Download the IoT Solution Playbook

    Assess the vendor’s solution for accessibility to ensure data will be available and useable

    Data governance, including stewardship and ownership; lineage; and the ability to scale, deduplicate, normalize, validate, and aggregate disparate data will be critical to being able to analyze data to execute on strategic goals.

    If your organization isn’t poised to manage and make the best use of the data, see Info-Tech’s related blueprints:

    Relevant Research: Diagnostic:
    Data ownership is important to establish early on, as the owner(s) will be accountable for how data is used and accessed. Data needs to be owned by the organization (not the vendor) and needs to be accessible for:
    • Regulatory compliance.
    • Data quality and validation.
    • Data normalization.
    • Data aggregation and analysis.
    Vendor assessments need to investigate how data will be accessed, where data is normalized and how data will be validated.
    Data validation will have different levels of importance depending on the use case. Where data validation is critical, there may be a need to double up sensors in key areas, validate against adjacent sensors, better understand how and where data will be collected.
    • Infrared sensors may include intelligence to count people or objects.
    • Cameras might require manual counts but may provide better images.
    • Good quality images may require technology to distort faces for privacy.
    If data validation will include non-sensor data, such as validation against a security access database or visitor log, access to the data for validation may be required in near real time.

    Determine how often you need to access and download data

    Requirements will vary depending on whether sensors are collecting data for later analysis or if they are actuators that need to process data at the source.

    Determine where the data will reside and how it will be structured. If it will be open and controlled within your own environment, confer with your data team to ensure the solution is integrated into your data systems. If, however, the solution is a point solution which will be hosted by the vendor, understand who will be normalizing the data and how frequently you can export or transfer it into your own data repository. If APIs will need to be installed to enable data transfer, work with the vendor to test them.

    Self-contained or closed solutions may be quick to install and configure and may require minimal technical support from within your own IT team, but they will not provide visibility to the inner workings of the solution. This may create issues around integration and interoperability which could limit the functionality and usability beyond the point solution.

    If the solution chosen is a closed system, determine how you will need to interact with the vendor to gain access to the data. Interoperability may not be an option, so work with the vendor to set up a regular cadence for accessing the data.

    Questions for the vendor could include:

    1. How often can we access the data? Will the vendor push it on a regular basis? Is it on demand?
    2. Or will we need to pull the data? Is there an API?
    3. Will the data be normalized?
    4. Will the data be transferred, or will the vendor keep a historical record?
    5. Are there additional fees for archiving or for data extraction?
    Stock image of a large key inserted into the screen of a laptop.

    Identify whether digital twins are needed

    Create a virtual world to safely test and fail without impacting the real-world applications.

    As actuators are processing information and executing actions, there may be a benefit to assess the effectiveness and impact of various scenarios in a safe environment. Digital twins enable the creation of a virtual world to test these new use cases using real world scenarios.

    These virtual replicas will not be necessary for every IoT application as many solutions will be very straightforward in their application. But for those complex systems, such as smart buildings, smart cities and mechanically complex projects, digital twins can be created to run multiple simulations to aid in business continuity planning, performance assessments, R&D and more.

    Due to the expense and complexity of creating a full digital twin, carefully weighing the benefits, and identifying how it will be used, can help to build the business case to invest in the technology. Without the skills in house, reliance on a vendor to create the model and test scenarios will likely be part of the overall solution.

    The assessment will also include understanding what data will be transferred into the model, how often it will be updated, how it will be protected and who will need to be involved in the modeling process.

    Download the blueprint: Double Your Organization’s Effectiveness With a Digital Twin. if you need more information on how to leverage digital twin technology.

    Stock image of a twin mirroring the original person's action.

    To fully realize value in IoT, think beyond single use case solutions to leverage the data collected

    Expertise in data analysis will be key to moving forward with an enterprise approach to IoT and the data it produces.
    • A single IoT solution can add hundreds of sensors, collecting a wide variety of data for specific purposes. If multiple solutions are in place, there may be divergent data sets that may never be seen by anyone other than their specific data stewards.
    • Many organizations have started out with one or two solutions that support their primary business and may include some more mature offerings such as HVAC systems, which have used sensors for years. However, not all data is used today. In many cases, data is used for anomaly detection to improve operations, and only the non-standard information is used for alerting. McKinsey estimates less than 1% of data is used in these applications, with the remaining data stored or deleted, rather than used for optimization and predictive analysis.
    • Thinking beyond the initial use cases, there may be opportunities to create new services, improve services for existing products, or improve insights through analysis of juxtaposed data.
    • McKinsey reports up to $11.1 trillion a year in economic value may be possible by 2025 through the linking of the physical and digital worlds. Personal devices and all industries are potential growth areas – though factories and anywhere that could use predictive maintenance, cities, retail, and transportation will see the largest probable increases. Interoperability was identified as being required to maximize value, accounting for 40% to 60% of the potential value of IT applications.
    • Where data is used to correct and control anomalies, very little data is retained and used for optimization or predictive analysis. By taking a deliberate approach to normalize, correlate, and analyze data, organizations can gain insight into the way their products are used, benefit from predictive maintenance, improve health care, reduce costs, and more.
    (Source: McKinsey, 2015)

    By 2025 an estimated data volume of 79.4 zettabytes will be attributed to connected IoT devices. (Statistia)

    Build data governance and analysis into your strategy to find new insights from correlating new and existing data

    As a point solution, IoT provides a means to collect large amounts of data quickly and act. When determining the use case for IoT and best fit solutions, it’s important to think about what data needs to be collected and what actions will need to be coordinated. As the need for more than just a few IoT solutions surfaces, the complexity and potential usefulness of data increases. This can lead to significant changes to the scope of data collection, storage, and analysis and may lead to unintended consequences.
    • Some industries, such as governments looking to build smart cities, will have a very broad range of opportunities for IoT devices, as well as high levels of difficulty managing very disparate systems; other industries, such as healthcare, will have very focused prospects for data collection and analysis.
    • In any case, the introduction of new IoT solutions can create very large amounts of data quickly, and if used only for a single purpose, there may be lost opportunity for expanding use of data to better understand your product, customers, or environment.
    • Don’t limit analysis to only IoT-collected data, as this can be consolidated with other sources for validation, enhancement, and insights. For example, fleet transponders can be connected to travel logs and dispatch records for validation and evaluation of fuel and resource consumption.
    • Determine the best time and methods for consolidation and normalization; consider using data consolidation vendors if the expertise is not available in-house.
    • As data combines, there may be unintended consequences of unique anonymous identifiers combining to identify employees or customers, and the potential for privacy breeches will need to be evaluated as all new systems come on-line.

    “We find very little IoT data in real life flows through analytics solutions, regardless of customer size. Even in the large organizations, they tend to build at-purpose applications, rather than creating those analytical scenarios or think of consolidating the IoT data in a data lake like environment.” (Rajesh Parab, Info-Tech Research Group)

    2.3 Exercise – data specialists: Define criteria for assessing proposals and projects

    1-2 hours

    Input: Process documentation for evaluating new technology, Data governance documents

    Output: Interview questions and assessment criteria for data specialists

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Identify the questions that will need to be asked of the solution to ensure data governance and accessibility needs will be met.
    3. Additional questions may help to:
      1. Identify data owners or stewards to determine who will have authority over data and ensure their needs will be met.
      2. Identify what additional work will be needed for the data team to access, validate, normalize, and centralize data.
      3. Identify any concerns that will identify the solution as unviable.
      4. Identify any risks to data accessibility which will require mitigation.

    This initial review is designed to identify risks to data ownership or integrity and ensure data is available for additional uses as deemed appropriate to the organizational goals. This assessment is designed to find major flaws and to mitigate and integrate should the project be approved as viable.

    Download the IoT Solution Playbook

    Security assessments will need to include risk reviews specific to IoT

    The increase of data collectors and actuators creates a large attack surface that could easily provide an entry point for hackers to connect into an organization’s network. Assess existing protocols and risk registry to ensure all IoT systems are reviewed for security threats.

    The significant increase in devices and applications will require a review of security practices related to IoT to understand and mitigate risks. Even if the data collected is not considered integral to the business, such as with automated HVAC systems or an aquarium monitoring system, the devices can provide an entry point to access the network.

    IoT and ICS devices are functionally diverse and may include more mature solutions that have been acquired many times over. There are a wide variety of protocols that may not be recognized by vulnerability scanners as safe to operate in your environment. Many of these solutions will be agentless and may not be picked up by scanners on the network. Without knowing these devices exist or understanding the data traffic patterns, protecting the devices, data, and systems they’re attached to becomes challenging.

    Discovery and vulnerability scanners tuned specifically for IoT to look for and allow unusual protocols and traffic patterns will enable these devices to operate as designed without being shut down by vulnerability scanners protecting more traditional devices and traffic on an IT network. Orphaned devices can be found and removed. Solutions that will provide detailed asset inventories and network topologies will improve vulnerability detection.

    Systems that are air gapped or completely segregated may provide a layer of protection between IoT devices and the corporate network, but this may create additional difficulties in vulnerability assessment, identifying and responding to active threats, or managing the operational side. Additionally, if there are still functional connections between these systems for traffic to flow back to central repositories, operational systems, or remote connections, there are still potential threats.

    If security controls are not yet documented, see Info-Tech’s related blueprints:

    Relevant Research: Diagnostic:

    Align risk assessments to your existing risk registry, to quickly approve low-risk solutions and mitigate high risk

    Work with the business owner to understand how these systems are designed to work. Tracking normal patterns of behavior and traffic flow may be key to fine-tuning security settings to accommodate these solutions and prevent false positive shutdowns, especially if using automated remediation. Is the business owner identified, and will they be accessible throughout the lifecycle of the solution?

    Physical security: Will these systems be accessible to the public, and can they be secured in a way to minimize theft and vandalism? Will they require additional housing or waterproofing? Could access be completely secured? For example, could anyone access and install malware on a disconnected camera’s SD card?

    Security settings: For ease of service and installation, a vendor may use default security settings and passwords. This can create easy access for hackers to access the network and access sensitive data. Is there a possibility of IP theft though access by sensors? Determine who will have remote access to the system, and if the vendor will be supporting the system, will they be using least privilege or zero trust models? Determine their adherence to your security policy.

    Internet and network access and monitoring: Review connectivity and data transmission requirements and whether these can be accommodated in a way that balances security with operational needs. Will there be a need for air gapping, firewalls, or secure tunnelling, and will these solutions allow for discovery and monitoring? Can the vendor guarantee there are no back doors built into the code? Will the system be monitored for unauthorized access and activity, and what is the response process? Can it be integrated into your security operations center?

    Failover state: IoT devices with actuators or that may impact health and safety will need to be examined. Can you ensure actions in event of a failure will not be negatively impactful? For example, a door that locks on failover and cannot be opened from the inside will create safety risks; however, a door that opens on failover could result in theft of property or IP. Who controls and can access these settings?

    Firmware updates: Assess the history of updates released by the vendor and determine how these updates are sent to the devices and validated. Ensure the product has been developed using trusted platforms with security lifecycle models. Many devices will have embedded security solutions. Ensure these can be integrated into organizational security solutions and risk mitigation strategies.

    Enterprise IoT strategy will require a focus on privacy and risk

    Data aggregation creates new privacy concerns as data may be used outside of the original project parameters. The change of scope will need to be evaluated to determine personally identifiable information and what new issues it can create for the program, organization, and your audience.

    As a point solution, IoT provides a means to collect large amounts of data and, if actuators are completing tasks, act quickly. When determining the use case for IoT and best fit solutions, it’s important to think about what data needs to be collected and what actions will need to be coordinated.

    As the need for more than just a few IoT solutions surfaces, the complexity and potential usefulness of data increases. This can lead to significant changes to the scope of data collection, storage, and analysis, and may lead to unintended consequences.

    Questions to ask your vendors:
    1. Where may there be physical access to sensors and a possibility of theft, and can the data be encrypted?
    2. What type of information is captured by sensors and stored in the solution?
    3. Where is personally identifiable information captured, and where is it stored? How will you meet regulatory requirements such as GDPR? Where does the data fit within existing retention policies, and how long should it be kept?
    4. Will there be a need to post signage or update privacy statements in response to the information being collected?

    If data classification, privacy, and security controls are not yet documented, see Info-Tech’s related blueprints:

    Relevant Research:

    Don’t make assumptions about the type of data gathered with devices – ask the vendor to clearly state how and what is collected

    Carefully review how this information can be used by machine learning, in combination with other solutions, and if there is a possibility of unintended consequences that will create issues for your customers and therefore your own data sets.

    Look for ways of capturing information that will meet your business requirements while mitigating risk of capturing personally identifiable information. Examples would be LiDAR to capture movement instead of video, or AI to blur faces or license plate numbers at time of image capture.

    This chart identifies data collected by smartphone accelerometers which could be used to identify and profile an individual and understand their behaviors.

    Mobile device accelerometer data

    Table of Mobile device accelerometer data with columns 'Detection of sound vibrations', 'Body movements', and 'Motion trajectory of the device', and a key for color-coding labelling purple items as 'Health', yellow items as 'Personality traits, moods & emotions', and green items 'Identification'.
    Overview of sensitive inferences that can be drawn from accelerometer data. (Source: Association for Computing Machinery, 2019.)

    2.4 Exercise – Privacy & Security specialists: Define criteria for assessing proposals and projects

    1-2 hours

    Input: Process documentation for evaluating new technology, Data governance documents

    Output: Interview questions and assessment criteria for Privacy & Security specialists

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Identify the questions that will need to be asked of the solution to ensure security and privacy needs will be met.
    3. Additional questions may help to:
      1. Identify biggest risks created by a large influx of sensors and additional vendors.
      2. Identify options for mitigating risks for privacy and regulatory requirements.

    This initial review is designed to identify risks to data ownership or integrity and ensure data is available for additional uses as deemed appropriate to the organizational goals. This assessment is designed to find major flaws and to mitigate and integrate should the project be approved as viable.

    Download the IoT Solution Playbook

    Review infrastructure requirements to proactively engage with vendors

    A modernized architecture will provide needed flexibility for onboarding new IoT solutions as well as providing the structure to collect, transport, and house data; however, not everything will be on the network. Knowing requirements for integrations, communications, and support will eliminate surprises during implementation.

    The supporting applications will be collecting and analyzing data for each of these solutions, with most being hosted on public clouds or privately by the vendor. Access to the applications for data collection may require APIs or other middleware to transfer data outside of their application. Data transfer may be unimportant if the data collected will stand alone and never be integrated to other systems, but it will be critical if IoT plans include retrieving, aggregating, and analyzing data from most systems. If these systems are closed, determine the process to get this information, whether it’s through scheduled exports or batch transfers.

    Determine if data will be backed up by the vendor or if backups are the responsibility of your team. Work with the business owner to better understand business continuity requirements to plan appropriately for data transmission, storage, and archiving.

    Network and communications will vary dramatically depending on where sensors and actuators are located. On-premises solutions may rely on Wi-Fi on your network or may require an air-gapped or segregated network. External sensors may rely on public Wi-Fi, cellular, or satellite, and this may impact reliability and serviceability. If manual data collection is required, such as collecting SD cards on trail cams, who will be responsible, and will they have the tools and data repository they need to upload data manually? Are you able to work with the vendor to estimate traffic on these networks, and how will that impact costs for cellular or satellite service?

    Investigate power requirements. On-premises solutions may require additional wiring, but if using wind or solar, what is the backup? If using batteries, what is the expected lifespan? Who will be monitoring, and who will be changing the batteries?

    Determine monitoring requirements. Who should be responsible for performance monitoring, outages, data transmission, and validation? Is this a vendor premium service or a process to manage in-house? If managed by the vendor, discuss required SLAs and their ability to meet them.

    If your organization is dealing with technical debt and older architecture which could prevent progress, see Info-Tech’s related blueprints to build out the foundation.

    Relevant Research:

    Determine operational readiness to support and secure IoT solutions

    Availability and capacity planning, business continuity planning, and management of all operational and support requirements will need to be put in place. Execution of controls, maintenance plans, and operational support will be required to mitigate risks and reduce value of the solutions.

    One of the biggest challenges organizations that have already adopted IoT face is management of these systems. Without an accurate inventory, it’s impossible to know how secure the IoT systems are. Abandoned sensors, stolen cameras, and old and unpatched firmware all contribute to security risks.

    Existing asset management solutions may provide the right solution, but they are limited in many cases by the discovery tools in place. Many discovery tools are designed to scan the network and may not have access to segregated or air-gapped networks or a means to access anything in the cloud or requiring remote access. Evaluate the effectiveness of current tools, and if they prove to be inadequate, look for solutions that are geared specifically to IoT as they may provide additional useful management capabilities.

    IoT management tools will provide more than just inventory. They can discover IoT devices in a variety of environments, possibly adding micro-agents to access device attributes such as name, type, and date of build, and allowing metadata and tags to be added. Additionally, these solutions will provide the means to deploy firmware updates, change configuration settings, send notifications if devices are taken offline, and run vulnerability assessments. Some may even have diagnostics tools for troubleshooting and remediation.

    If operational processes aren’t in place, see Info-Tech’s related blueprints to build out the foundation.

    Relevant Research: Diagnostic:

    Identify what needs to happen to onboard these solutions into your support portfolio

    Evaluate support options to determine the best way to support the business. Even if support is completely outsourced, a support plan will be critical for holding vendors to account, bringing support in-house if support doesn’t meet your needs, and understanding dependencies while navigating through incidents and problem- and change-enablement processes.

    Regular maintenance for your team may include battery swaps, troubleshooting camera outages or intermittent sensors, or deploying patches. Understand the support requirements for the product lifecycle and who will be responsible for that work. If the vendor will be applying patches and upgrading firmware, get clarity on how often and how they’ll be deployed and validated. Ask the vendor about support documentation and offerings.

    Determine the best ways of collecting inventory on the solution. Determine what the solution offers to help with this process; however, if the project plan requires specific location details to add sensors, the project list may be the best way to initially onboard the sensors into inventory.

    Determine if warranty offerings are an appropriate solution for devices in each project, to schedule and record appropriate maintenance details and plan replacements as sensors reach end of life. Document dependencies for future planning.

    Stock image of an electrical worker fixing a security camera.

    2.5 Exercise – Infrastructure & Operations specialists: Define criteria for assessing proposals and projects

    1-2 hours

    Input: Process documentation for evaluating new technology, Data governance documents

    Output: Interview questions and assessment criteria for Infrastructure & Operations specialists

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Identify the questions that will need to be asked of the solutions to ensure the solutions can be integrated into the existing environment and operational processes.
    3. Additional questions may help to:
      1. Reduce risks and project failures from solutions that will be difficult to integrate or secure.
      2. Improve project planning for projects that are often driven by the vendor and the business.
      3. Reduce operational risks due to lack of integration with asset and operational processes.

    This initial review is designed to identify risks to data ownership or integrity and ensure data is available for additional uses as deemed appropriate to the organizational goals. This assessment is designed to find major flaws and to mitigate and integrate should the project be approved as viable.

    Download the IoT Solution Playbook

    2.6 Exercise: Define service objectives and evaluation process

    1 hour

    Input: List of criteria in the playbook, Understanding of resource availability of solution evaluators

    Output: Steering committee criteria for progressing projects through the process

    Materials: Whiteboard/flip charts, IoT Steering Committee Charter workbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    Now that you’ve defined the initial review requirements, meet as a group once more to finalize the process for reviewing requests. Look for ways to speed the process, including asynchronous communications and reviews. Consider meeting as a group for any solutions that may be deemed high risk or highly complex.

    1. Agree on what can be identified as a reasonable SLA to respond to the business on these requests.
    2. Agree on methods of communication between committee members and the business.
    3. Determine the criteria for determining when a proof of value should be initiated, and who will lead the process.

    Download the IoT Steering Committee Charter

    Create and Implement an IoT Strategy

    Phase 3

    Prepare for a Proof of Value

    Steering Committee

    1.1 Define the committee’s roles and responsibilities in the IoT Steering Committee Charter

    1.2 Define the IoT steering committee’s vision statement and mandates

    1.3 Define procedures for reviewing proposals and roles and responsibilities

    Intake Process

    2.1 Define requirements for requesting new IoT solutions

    2.2 Define procedures for reviewing proposals and projects – BA/BRM

    2.3 Define procedures for reviewing proposals and projects – Data specialists

    2.4 Define procedures for reviewing proposals and projects – Privacy & Security

    2.5 Define procedures for reviewing proposals and projects – Infrastructure & Operations

    2.6 Define service objectives and evaluation process

    Proof of Value

    3.1 Determine the criteria for running a proof of value

    3.2 Define the template and process for running a proof of value

    This phase will provide the following activities

    • Create proof of value criteria
    • Create proof of value template

    A proof of value can quickly help you prove value or fail fast

    Investing a small amount of time and money up front will validate the possibility of your proposed solution.

    A proof of value will require a vision and definition of your criteria for success, which will be necessary to determine if the project should go ahead. It should take no longer than three months and may be as short as a week.

    When should you run a proof of value?

    • When it is difficult to confirm that the solution is fit for purpose.
    • When the value of the solution is indeterminate.
    • When the solution is early in its lifecycle and not widely proven in the marketplace.
    • When scalability is questionable or unproven.
    • When the solution requires customization or configuration.

    Info-Tech Insight
    Where a solution is well known in the market, requires minimal customization, and is proven to be fit for purpose, a shorter evaluation or conversations with reference clients or partners may be all that is necessary.

    Table titled 'Reasons IoT proof of value projects fail'. There is a column for type of project (ie Scaling, Business, etc), one for reasons, and one for percentages.
    (Microsoft IoT Signals Report 2020, n= 3,000 IT Professionals)

    3.1 Exercise: Define the criteria for running a proof of value

    1 hour

    Input: Agreement of steering committee members to create a process to mitigate risk for complex solutions.

    Output: Proof of value template for use as appropriate to evaluate IoT solutions.

    Materials: IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. As a group, review the circumstances for when to run a proof of value.
    2. Determine who will help to build the proof of value plan.
    3. Determine requirements for participation in the proof of value process. Consider project size, complexity and risk and visibility.

    Download IoT Solution Playbook

    Design your proof of value to test the viability of the solution

    Engage the right stakeholders early to gather feedback and analysis and determine suitability

    Determine the proof of value methodology to ensure plan allows for fast testing
    • Go back to the original request: What are the goals for implementing this solution? Has this been clearly defined with criteria for success?
    • Define the technical team that will configure the solution, including vendors and technicians. Ensure the vendor fully understands your use cases and goals. Identify the level of support you’ll need to be implement and assess the solution.
    • Define the testing team, including technical and business users. Complete a journey map if needed to define the use case(s) at the right level of detail.
    • Ensure the test use case(s) have been defined and they all agree on the definition of success.
    • Make sure the team is available to do the testing and provide feedback, as high adoption will improve feedback which will be critical to successfully implementing the full solution.
    • Determine how to evaluate scalability with process, resources, and capacity.
    • Evaluate the risks and obstacles to reject the solution or mitigate and prevent scope creep.
    • Evaluate the vendor’s roadmap, training materials, and technical support options.

    Info-Tech Insight

    Additional information on building out a process for testing new technology can be found in the blueprint: Exploit Disruptive Infrastructure Technology.

    “Although scope creep is not the only nemesis a project can have, it does tend to have the farthest reach. Without a properly defined project and/or allowing numerous changes along the way, a project can easily go over budget, miss the deadline, and wreak havoc on project success.” (University Alliance, Villanova University)

    Define your objectives for the proof of value

    Referencing documents submitted to the committee, continue to refine the problem statement.

    Objectives are a key first step to show the solution will meet your needs.
    • Every technology is designed to solve a problem faced by somebody somewhere. For each technology that your team has decided to move forward with, identify and clearly state the problem it would solve.
    • A clear problem statement is a crucial part of a new technology’s business case. It is impossible to earn buy-in from the rest of the organization without demonstrating the necessity of a solution.
    • Perfection is impossible to achieve, especially during a proof of value (POV). However, knowing the pain points of the way things are done without this technology, and noting a reduction in pain and increase in efficiency and accuracy of data gathering will help in the initial feedback of the tests. Ensure the proof of value includes data validation to test accuracy.

    Info-Tech Insight

    Know your metrics going into the proof of value. Document performance, quality, and time to do the work and compare to metrics in the proof of value. Agree on what success looks like, to ensure that improvements are substantial enough to justify the expense and effort of implementing the solution.

    Questions to consider:
    • What are the project’s goals?
    • What is the desired future state?
    • What problems must be solved to call the POV a viable solution?
    • Where will the project be rolled out? Are there any concerns about communications and power that may need to be addressed?
    • Are there any risks to watch for?

    Info-Tech Insight

    Be sure to avoid scope creep! Remember: the goal of the proof of value project is to produce a minimum case for viability in a carefully defined area. Reserve a detailed accounting of costs and benefits for after the proof of value stage.

    Define use cases to test against current methods

    Outline the solution to the problem

    Determine how the solution should perform in completing tasks. Be careful not to focus too heavily on how things are done today: You’re looking for dramatic improvements, not going back to existing workarounds.
    • The use case will help to define the scope of the project, define adjacent use cases or tasks that will be out of scope, and to contain the test to a reasonable effort and time frame, while still testing core functionality.
    • Map processes based on expectations of how the solution should work, and compare these to the way things are done today. Identify if there are obvious improvements to the existing processes that if done, would change the existing results significantly. Take this into account when reviewing results. (This will also be useful if the project isn’t approved or is delayed.)
    • Identify where tasks and data collection will be automated and where they will need to stay manual or require additional integrations or solutions such as RPA. These other solutions may not factor into the proof of value but will need to be identified on the solution roadmap if it goes ahead.

    Blocks with arrows in between them, like an example of a step progression.

    Define steps to reach these goals today:
    • Discuss steps to completion
    • Effort to collect data
    • Effort to validate and correct data
    • Effort and ability to use the data for decision making, understanding your customers, and process improvements
    • Quality of data available with current methods compared to quality and volume of data using an IoT solution

    Determine the appropriate project team

    Bring in team members from the business and technical sides to test for those functions that matter most to each team. This effort will enable them to quickly identify risks and mitigate them as part of the product rollout or start the process to look at alternative solutions.
    • Stakeholders: Anyone who is impacted by the new technology and who will end up using, approving, or implementing it. Identify team members who will be willing and able to test the systems for data quality, collection, and workflow improvements.
    • Data analysts: Include someone who can validate the usefulness of data to meet the needs of the organization.
    • Security & Privacy: Include these team members to validate their expectations of how privacy and security needs can be met.
    • Infrastructure & Operations: These team members can test integrations, data collections, traffic flow, etc.
    • Vendor: Discuss what part the vendor can play in setting up the solution for running the proof of value.
    • Other business units: Identify business units that could benefit or be impacted by this solution. Invite them to participate in the roof of value, but remember to contain scope.
    Leverage the insights of the diverse working group
    • Processes are designed to transform inputs into outputs. All business activities can be mapped into processes.
    • A process map illustrates the sequence of actions and decisions that transform an input into an output.
    • Effective mapping gives managers an “aerial” view of the company’s processes, making it easier to identify inefficiencies, reduce waste, and ultimately streamline operations.
    • To identify business processes, have group members familiar with the affected business units identify how jobs are typically accomplished within those units.
    • Ensure they have the time to test the solution and provide valid feedback.

    Estimate the resources required for the pilot

    Time, money, technology, resources

    The benefit of running a proof of value is to make a decision on viability of a solution without the expense of implementing a full solution. This isn’t necessary for low-risk, highly proven solutions, which could be validated with references instead.

    Estimate

    Estimate the number of hours needed to implement the proof of value.

    Estimate

    Estimate the hours needed for business users to test.

    Estimate

    Estimate the costs of technology. If the solution can be run in a vendor sandbox or in a test/dev instance in the cloud, you may be able to keep these costs very low.

    Determine

    Determine the appropriate number of devices to test in multiple locations and environments; work with the vendor to see if they have evaluation devices or discounts for proof of value purposes.

    Conduct a post-proof of value review to finalize the decision to move forward

    Gather evaluators together to ensure the pilot team completed their assessments. A common failure of pilots is making assumptions around the level of participation that has taken place.
    • The core working group is responsible for producing a vision of the future and outlining new technology’s disruptive potential. The actual implementation of the proof of value (purchasing the hardware, negotiating the SLA with the vendor) is beyond the committee’s responsibilities.
    • If the proof of value goes ahead, the facilitator should block some time to evaluate the completed project against the key performance indicators identified in the initial plan.
    • Use the Proof of Value Template section of the IoT Solution Playbook to document POV requirements as well as finalizing the feedback loop.
    • Determine ratings for the proof of value to identify which solutions are not viable and which levels of viability are worth moving forward. Some viable solutions may need a different vendor, and some may need customization or multiple integrations. This is important for the project team to move ahead with the implementation.
    • Encourage everyone to provide enough feedback on the various processes to be confident in their declarations of worthiness and to confirm the proof of value was thorough.
    • Communicate your working group’s findings and success to a wide audience to gain interest in IoT solutions as well as to encourage the business to work with the committee to integrate solutions into the governance and operational structure.

    3.2 Exercise: Create a template for designing a proof of value

    1-3 hours

    Input: Agreement of steering committee members to create a process to mitigate risk for complex solutions

    Output: Proof of value template for use as appropriate to evaluate IoT solutions

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. As a group, review the Proof of Value Template section of the IoT Solution Playbook to determine if it will meet the needs of your business and technical groups.
    2. Determine who will work with the business to create the proof of value plan.
    3. Modify the template to suit your needs, keeping in mind a need for clarity of purpose, communications throughout the POV, and clearly stated goals and definitions of success.
    4. Set a target timeframe to run the POV, preferably no longer than 90 days.
    5. Determine appropriate steps to take for POVs that do not garner the expected participation to qualify a solution to move forward.
    6. Determine appropriate reporting for the evaluation process.

    Download IoT Solution Playbook

    Communications

    As with any new product, marketing and communications will be an important first step in letting the business know how to engage IT in its assessments of IoT innovations. As these solutions prove themselves, or even as you help the business to find better solutions, share your successes with the rest of the organization.

    Business units are already being courted by the vendors, so it’s up to IT to insert themselves in the process in a way that helps improve the success of the business team while still meeting IT’s objectives.

    Your customers will not willingly engage in highly bureaucratic processes and need to see a reason to engage.

    1. Keep the intake process simple.
    2. Provide support to answer the tough questions.
    3. Be clear on the benefits to the organization and the business unit by engaging with your group, and be clear about how you will help within a reasonable time frame.
      • IT will help navigate the vendor prerequisites, contracts, and product setup.
      • IT will assume some of the responsibility for the solution, especially around security and privacy.
      • The business unit will reap the rewards of the solution with minimal operational effort.

    Info-Tech Insight

    Consider building your playbook into your service catalog to make it easy for business users to start the request process. From there, you can create workflows and notifications, track progress, set and meet SLAs, and enable efficient asynchronous communications.

    Research Contributors and Experts

    Photo of John Burwash, Senior Director, Executive Services, Info-Tech Research Group.

    John Burwash
    Senior Director, Executive Services
    Info-Tech Research Group

    INFO~TECH RESEARCH GROUP

    Info-Tech Research Group is an IT research and advisory firm with over 23 years of experience helping enterprises around the world with managing and improving core IT processes. They write highly relevant and unbiased research to help leaders make strategic, timely, and well-informed decisions.

    External contributors
    4 external contributors have asked to remain anonymous.

    Photo of Jennifer Jones, Senior Research Advisor, Industry, Info-Tech Research Group.

    Jennifer Jones
    Senior Research Advisor, Industry
    Info-Tech Research Group

    Photo of Aaron Shum, Vice President, Security, Privacy & Risk, Info-Tech Research Group.

    Aaron Shum
    Vice President, Security, Privacy & Risk
    Info-Tech Research Group

    Photo of Rajesh Parab, Research Director, Applications, Data & Analytics, Info-Tech Research Group.

    Rajesh Parab
    Research Director, Applications, Data & Analytics
    Info-Tech Research Group

    Photo of Frank Sargent, Senior Director Practice Lead, Security, Privacy & Risk, Info-Tech Research Group.

    Frank Sargent
    Senior Director Practice Lead, Security, Privacy & Risk
    Info-Tech Research Group

    Photo of Scott Young, Principal Research Advisor, Infrastructure, Info-Tech Research Group.

    Scott Young
    Principal Research Advisor, Infrastructure
    Info-Tech Research Group

    Photo of Rocco Rao, Director, Research Advisor, Industry, Info-Tech Research Group.

    Rocco Rao
    Director, Research Advisor, Industry
    Info-Tech Research Group

    Bibliography

    Ayyaswamy, Regu, et al. “IoT Is Enabling Enterprise Strategies for New Beginnings.” Tata Consulting Services, 2020. Web.

    “Data Volume of Internet of Things (IoT) Connections Worldwide in 2019 and 2025.” Statistia, 2020.

    Dos Santos, Daniel, et al. “Cybersecurity in Building Automation Systems (BAS).” Forescout, 2020. Web.

    Earle, Nick. “Overcoming the Barriers to Global IoT Connectivity: How Regional Operators Can Reap Rewards From IoT.” IoTNow, 30 June 2021. Web.

    Faludi, Rob. “How Do IoT Devices Communicate?” Digi, 26 Mar. 2021. Web.

    Halper, Fern, and Philip Russom. “TDWI IoT Data Readiness Guide, Interpreting Your Assessment Score.” Cloudera, 2018. Web.

    Horwitz, Lauren. “IoT Enterprise Deployments Continue Apace, Despite COVID-19.” IoT World Today, 22 Apr. 2021.

    “How Does IoT Data Collection Work?” Digiteum, 13 Feb. 2020. Web.

    “IoT Data: How to Collect, Process, and Analyze Them.” Spiceworks, 26 Mar. 2019. Web.

    IoT Signals Report: Edition 2, Hypothesis Group for Microsoft, Oct. 2020. Web.

    King, Stacey. “4 Key Considerations for Consistent IoT Manageability and Security.” Forescout, 22 Aug. 2019. Web.

    Krämer, Jurgen. “Why IoT Projects Fail and How to Beat the Odds.” Software AG, 2020. Web.

    Kröger, Jacob Leon, et al. “Privacy Implications of Accelerometer Data: A Review of Possible Inferences” ICCSP, Jan. 2019, pp. 81-7. Web.

    Manyika, James, et al. “Unlocking the Potential of the Internet of Things.” McKinsey Global Institute, 1 June 2015. Web.

    Ricco, Emily. “How To Run a Successful Proof of Concept – Lessons From Hubspot.” Filtered. Web.

    Rodela, Jimmy. “The Blueprint, Your Complete Guide to Proof of Concept.” Motley Fool, 2 Jan 2021. Web.

    Sánchez, Julia, et al. “An Integral Pedagogical Strategy for Teaching and Learning IoT Cybersecurity.” Sensors, vol. 20, no. 14, July 2020, p. 3970.

    The IoT Generation of Vulnerabilities. SC Media, 2020. E-book.

    Woods, James P., Jr. “How Consumer IoT Devices Can Break Your Security.” HPE, 2 Nov. 2021.

    Stakeholder Relations

    • Buy Link or Shortcode: {j2store}25|cart{/j2store}
    • Related Products: {j2store}25|crosssells{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Governance
    • Parent Category Link: /strategy-and-governance

    The challenge

    • Stakeholders come in a wide variety, often with competing and conflicting demands.
    • Some stakeholders are hard to identify. Those hidden agendas may derail your efforts.
    • Understanding your stakeholders' relative importance allows you to prioritize your IT agenda according to the business needs.

    Our advice

    Insight

    • Stakeholder management is an essential factor in how successful you will be.
    • Stakeholder management is a continuous process. The landscape constantly shifts.
    • You must also update your stakeholder management plan and approach on an ongoing basis.

    Impact and results 

    • Use your stakeholder management process to identify, prioritize, and manage key stakeholders effectively.
    • Continue to build on strengthening your relationships with stakeholders. It will help to gain easier buy-in and support for your future initiatives. 

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Make the case

    Identify stakeholders

    • Stakeholder Management Analysis Tool (xls)

    Analyze your stakeholders

    Assess the stakeholder's influence, interest, standing, and support to determine priority for future actions 

    Manage your stakeholders

    Develop your stakeholder management and communication plans

    • Stakeholder Management Plan Template (doc)
    • Communication Plan Template (doc)

    Monitor your stakeholder management plan performance

    Measure and monitor the success of your stakeholder management process.

     

     

    Establish a Foresight Capability

    • Buy Link or Shortcode: {j2store}88|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • To be recognized and validated as a forward-thinking CIO, you must establish a structured approach to innovation that considers external trends as well as internal processes.
    • The CEO is expecting an investment in IT innovation to yield either cost reduction or revenue growth, but growth cannot happen without opportunity identification.

    Our Advice

    Critical Insight

    • Technological innovation is disrupting business models – and it’s happening faster than organizations can react.
    • Smaller, more agile organizations have an advantage because they have less resources tied to existing operations and can move faster.

    Impact and Result

    • Be the disruptor, not the disrupted. This blueprint will help you plan proactively and identify opportunities before your competitors.
    • Strategic foresight gives you the tools you need to effectively process the signals in your environment, build an understanding of relevant trends, and turn this understanding into action.

    Establish a Foresight Capability Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to effectively apply strategic foresight, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Signal gathering

    Develop a better understanding of your external environment and build a database of signals.

    • Establish a Foresight Capability – Phase 1: Signal Gathering
    • Foresight Process Tool

    2. Trends and drivers

    Select and analyze trends to uncover drivers.

    • Establish a Foresight Capability – Phase 2: Trends and Drivers

    3. Scenario building

    Use trends and drivers to build plausible scenarios and brainstorm strategic initiatives.

    • Establish a Foresight Capability – Phase 3: Scenario Building

    4. Idea selection

    Apply the wind tunneling technique to assess strategic initiatives and determine which are most likely to succeed in the face of uncertainty.

    • Establish a Foresight Capability – Phase 4: Idea Selection
    [infographic]

    Workshop: Establish a Foresight Capability

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Pre-workshop – Gather Signals and Build a Repository

    The Purpose

    Note: this is preparation for the workshop and is not offered onsite.

    Gather relevant signals that will inform your organization about what is happening in the external competitive environment.

    Key Benefits Achieved

    A better understanding of the competitive landscape.

    Activities

    1.1 Gather relevant signals.

    1.2 Store signals in a repository for quick and easy recall during the workshop.

    Outputs

    A set of signal items ready for analysis

    2 Identify Trends and Uncover Drivers

    The Purpose

    Uncover trends in your environment and assess their potential impact.

    Determine the causal forces behind relevant trends to inform strategic decisions.

    Key Benefits Achieved

    An understanding of the underlying causal forces that are influencing a trend that is affecting your organization.

    Activities

    2.1 Cluster signals into trends.

    2.2 Analyze trend impact and select a key trend.

    2.3 Perform causal analysis.

    2.4 Select drivers.

    Outputs

    A collection of relevant trends with a key trend selected

    A set of drivers influencing the key trend with primary drivers selected

    3 Build Scenarios and Ideate

    The Purpose

    Leverage your understanding of trends and drivers to build plausible scenarios and apply them as a canvas for ideation.

    Key Benefits Achieved

    A set of potential responses or reactions to trends that are affecting your organization.

    Activities

    3.1 Build scenarios.

    3.2 Brainstorm potential strategic initiatives (ideation).

    Outputs

    Four plausible scenarios for ideation purposes

    A potential strategic initiative that addresses each scenario

    4 Apply Wind Tunneling and Select Ideas

    The Purpose

    Assess the various ideas based on which are most likely to succeed in the face of uncertainty.

    Key Benefits Achieved

    An idea that you have tested in terms of risk and uncertainty.

    An idea that can be developed and pitched to the business or stored for later use. 

    Activities

    4.1 Assign probabilities to scenarios.

    4.2 Apply wind tunneling.

    4.3 Select ideas.

    4.4 Discuss next steps and prototyping.

    Outputs

    A strategic initiative (idea) that is ready to move into prototyping

    Availability and Capacity Management

    • Buy Link or Shortcode: {j2store}10|cart{/j2store}
    • Related Products: {j2store}10|crosssells{/j2store}
    • Up-Sell: {j2store}10|upsells{/j2store}
    • member rating overall impact (scale of 10): 8.0/10.0
    • member rating average dollars saved: $2,950
    • member rating average days saved: 10
    • Parent Category Name: Infra and Operations
    • Parent Category Link: /infra-and-operations
    Develop your availability and capacity management plant and align it with exactly what the business expects.

    Manage an IT Budget

    • Buy Link or Shortcode: {j2store}70|cart{/j2store}
    • member rating overall impact (scale of 10): 8.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Cost & Budget Management
    • Parent Category Link: /cost-and-budget-management
    • IT is viewed as a cost center without a clear understanding of the value it provides.
    • After completing the budget, the CIO is faced with changing expectations, disruptions, new risks, and new threats.
    • IT departments often lack a reliable budget management process to keep itself on track towards its budget goals.
    • Over budgeting risks credibility if projects are not all delivered, while under budgeting risks not being able to execute important projects.

    Our Advice

    Critical Insight

    • Managing your budget is not just about numbers; it’s also about people and processes. Better relationships and a proper process leads to better management of your budget. Understand how your relationships and current processes might be leveraged to manage your budget.
    • No one likes to be over budget, but being under budget isn’t necessarily good either. Coming in under budget may mean that you are not accomplishing the initiatives that you promised you would, reflecting poor job performance.

    Impact and Result

    • Implement a formal budget management process that documents your planned budget and actual expenditures, tracks variances, and responds to those variances to stay on track towards budget goals.
    • Manage the expectations of business stakeholders by communicating the links between IT spend and business value in a way that is easily understood by the business.
    • Control for under- or overspending by using Info Tech’s budget management tool and tactics.

    Manage an IT Budget Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to understand the increasing expectations for IT departments to better manage their budgets, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Document

    Create a streamlined documentation process that also considers the elements of people and technology.

    • Manage an IT Budget – Phase 1: Document
    • Manage Your IT Budget Tool

    2. Track

    Track your planned budget against actual expenditures to catch areas of over- and underspending in a timely manner.

    • Manage an IT Budget – Phase 2: Track

    3. Control

    Leverage control mechanisms to manage variances in your budget.

    • Manage an IT Budget – Phase 3: Control
    [infographic]

    Workshop: Manage an IT Budget

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Document Budget

    The Purpose

    The first step of managing your IT budget is to make sure there is a properly documented budget that everyone agrees upon.

    Key Benefits Achieved

    A properly documented budget facilitates management and communication of the budget.

    Activities

    1.1 Review budget for the year.

    1.2 Document each budget in the tool.

    1.3 Review CAPEX vs. OPEX.

    1.4 Customize accounts to match your organization.

    Outputs

    Budget broken out into monthly increments and by each account.

    Budget documented in tool.

    Tool customized to reflect organization's specific accounts and terminology.

    2 Optimize Documentation Process

    The Purpose

    A proper documentation process forms the backbone for effective budget management.

    Key Benefits Achieved

    A streamlined documentation process with accurate inputs that also considers the elements of people and technology.

    Activities

    2.1 Draw out process flow of current documentation.

    2.2 Identify bottlenecks.

    2.3 Discuss and develop roadmap to solving bottlenecks.

    Outputs

    Process flow of current documentation process with identified bottlenecks.

    Plan to mitigate bottlenecks.

    3 Track and Control for Over- and Underspending

    The Purpose

    Track your planned budget against actual expenditures to catch areas of over- and underspending in a timely manner. Then, leverage control mechanisms to manage variances in your budget.

    Key Benefits Achieved

    Tracking and controlling for variances will help the IT department stay on track towards its budget goals. It will also help with communicating IT’s value to the business.

    Activities

    3.1 Walk through the “Overview Bar.”

    3.2 Document actual expenses incurred in fiscal to date.

    3.3 Review the risk of over- and underspending.

    3.4 Use the reforecast column to control for over- and underspend.

    Outputs

    Assess the “Overview Bar.”

    Document actual expenditures and committed expenses up to the current date.

    Develop a strategy and roadmap for how you will mitigate any current under- or overspends.

    Reforecast expenditures for each account for each month for the remainder of the fiscal year.

    Go the Extra Mile With Blockchain

    • Buy Link or Shortcode: {j2store}130|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • The transportation and logistics industry is facing a set of inherent flaws, such as high processing fees, fraudulent information, and lack of transparency, that blockchain is set to transform and alleviate.
    • Many companies have FOMO (fear of missing out), causing them to rush toward blockchain adoption without first identifying the optimal use case.

    Our Advice

    Critical Insight

    • Understand how blockchain can alleviate your pain points before rushing to adopt the technology. You have been hearing about blockchain for some time now and are feeling pressured to adopt it. Moreover, the series of issues hindering the transportation and logistics industry, such as the lack of transparency, poor cash flow management, and high processing fees, are frustrating business leaders and thereby adding additional pressure on CIOs to adopt the technology. While blockchain is complex, you should focus on its key features of transparency, integrity, efficiency, and security to identify how it can help your organization.
    • Ensure your use case is actually useful and can be valuable to your organization by selecting a business idea that is viable, feasible, and desirable. Applying design thinking tactics to your evaluation process provides a practical approach that will help you avoid wasting resources (both time and money) and hurting IT’s image in the eyes of the business. While it is easy to get excited and invest in a new technology to help maintain your image as a thought leader, you must ensure that your use case is fully developed prior to doing so.

    Impact and Result

    • Understand blockchain’s transformative potential for the transportation and logistics industry by breaking down how its key benefits can alleviate inherent industry flaws.
    • Identify business processes and stakeholders that could benefit from blockchain.
    • Build and evaluate an inventory of use cases to determine where blockchain could have the greatest impact on your organization.
    • Articulate the value and organizational fit of your proposed use case to the business to gain their buy-in and support.

    Go the Extra Mile With Blockchain Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why your organization should care about blockchain’s transformative potential for the transportation and logistics industry and how Info-Tech will support you as you identify and build your blockchain use case.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Evaluate why blockchain can disrupt the transportation and logistics industry

    Analyze the four key benefits of blockchain as they relate to the transportation and logistics industry to understand how the technology can resolve issues being experienced by industry incumbents.

    • Go the Extra Mile With Blockchain – Phase 1: Evaluate Why Blockchain Can Disrupt the Transportation and Logistics Industry
    • Blockchain Glossary

    2. Build and evaluate an inventory of use cases

    Brainstorm a set of blockchain use cases for your organization and apply design thinking tactics to evaluate and select the optimal one to pitch to your executives for prototyping.

    • Go the Extra Mile With Blockchain – Phase 2: Build and Evaluate an Inventory of Use Cases
    • Blockchain Use Case Evaluation Tool
    • Prototype One Pager
    [infographic]

    Build a Robust and Comprehensive Data Strategy

    • Buy Link or Shortcode: {j2store}120|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $46,734 Average $ Saved
    • member rating average days saved: 29 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • The volume and variety of data that organizations have been collecting and producing have been growing exponentially and show no sign of slowing down.
    • At the same time, business landscapes and models are evolving, and users and stakeholders are becoming more and more data centric, with maturing expectations and demands.

    Our Advice

    Critical Insight

    • As the CDO or equivalent data leader in your organization, a robust and comprehensive data strategy is the number one tool in your toolkit for delivering on your mandate of creating measurable business value from data.
    • A data strategy should never be formulated disjointed from the business. Ensure the data strategy aligns with the business strategy and supports the business architecture.
    • Building and fostering a data-driven culture will accelerate and sustain adoption of, appetite for, and appreciation for data and hence drive the ROI on your various data investments.

    Impact and Result

    • Formulate a data strategy that stitches all of the pieces together to better position you to unlock the value in your data:
      • Establish the business context and value: Identify key business drivers for executing on an optimized data strategy, build compelling and relevant use cases, understand your organization’s culture and appetite for data, and ensure you have well-articulated vision, principles, and goals for your data strategy
      • Ensure you have a solid data foundation: Understand your current data environment, data management enablers, people, skill sets, roles, and structure. Know your strengths and weakness so you can optimize appropriately.
      • Formulate a sustainable data strategy: Round off your strategy with effective change management and communication for building and fostering a data-driven culture.

    Build a Robust and Comprehensive Data Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Data Strategy Research – A step-by-step document to facilitate the formulation of a data strategy that brings together the business context, data management foundation, people, and culture.

    Data should be at the foundation of your organization’s evolution. The transformational insights that executives and decision makers are constantly seeking to leverage can be unlocked with a data strategy that makes high-quality, trusted, and relevant data readily available to the users who need it.

    • Build a Robust and Comprehensive Data Strategy – Phases 1-3

    2. Data Strategy Stakeholder Interview Guide and Findings – A template to support you in your meetings or interviews with key stakeholders as you work on understanding the value of data within the various lines of business.

    This template will help you gather insights around stakeholder business goals and objectives, current data consumption practices, the types or domains of data that are important to them in supporting their business capabilities and initiatives, the challenges they face, and opportunities for data from their perspective.

    • Data Strategy Stakeholder Interview Guide and Findings

    3. Data Strategy Use Case Template – An exemplar template to demonstrate the business value of your data strategy.

    Data strategy optimization anchored in a value proposition will ensure that the data strategy focuses on driving the most valuable and critical outcomes in support of the organization’s enterprise strategy. The template will help you facilitate deep-dive sessions with key stakeholders for building use cases that are of demonstrable value not only to their relevant lines of business but also to the wider organization.

    • Data Strategy Use Case Template

    4. Chief Data Officer – A job description template that includes a detailed explication of the responsibilities and expectations of a CDO.

    Bring data to the C-suite by creating the Chief Data Officer role. This position is designed to bridge the gap between the business and IT by serving as a representative for the organization's data management practices and identifying how the organization can leverage data as a competitive advantage or corporate asset.

    • Chief Data Officer

    5. Data Strategy Document Template – A structured template to plan and document your data strategy outputs.

    Use this template to document and formulate your data strategy. Follow along with the sections of the blueprint Build a Robust and Comprehensive Data Strategy and complete the template as you progress.

    • Data Strategy Document Template
    [infographic]

    Workshop: Build a Robust and Comprehensive Data Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Business Context and Value: Understand the Current Business Environment

    The Purpose

    Establish the business context for the business strategy.

    Key Benefits Achieved

    Substantiates the “why” of the data strategy.

    Highlights the organization’s goals, objectives, and strategic direction the data must align with.

    Activities

    1.1 Data Strategy 101

    1.2 Intro to Tech’s Data Strategy Framework

    1.3 Data Strategy Value Proposition: Understand stakeholder’s strategic priorities and the alignment with data

    1.4 Discuss the importance of vision, mission, and guiding principles of the organization’s data strategy

    1.5 Understand the organization’s data culture – discuss Data Culture Survey results

    1.6 Examine Core Value Streams of Business Architecture

    Outputs

    Business context; strategic drivers

    Data strategy guiding principles

    Sample vision and mission statements

    Data Culture Diagnostic Results Analysis

    2 Business-Data Needs Discovery: Key Business Stakeholder Interviews

    The Purpose

    Build use cases of demonstrable value and understand the current environment.

    Key Benefits Achieved

    An understanding of the current maturity level of key capabilities.

    Use cases that represent areas of concern and/or high value and therefore need to be addressed.

    Activities

    2.1 Conduct key business stakeholder interviews to initiate the build of high-value business-data cases

    Outputs

    Initialized high-value business-data cases

    3 Understand the Current Data Environment & Practice: Analyze Data Capability and Practice Gaps and Develop Alignment Strategies

    The Purpose

    Build out a future state plan that is aimed at filling prioritized gaps and that informs a scalable roadmap for moving forward on treating data as an asset.

    Key Benefits Achieved

    A target state plan, formulated with input from key stakeholders, for addressing gaps and for maturing capabilities necessary to strategically manage data.

    Activities

    3.1 Understand the current data environment: data capability assessment

    3.2 Understand the current data practice: key data roles, skill sets; operating model, organization structure

    3.3 Plan target state data environment and data practice

    Outputs

    Data capability assessment and roadmapping tool

    4 Align Business Needs with Data Implications: Initiate Roadmap Planning and Strategy Formulation

    The Purpose

    Consolidate business and data needs with consideration of external factors as well as internal barriers and enablers to the success of the data strategy. Bring all the outputs together for crafting a robust and comprehensive data strategy.

    Key Benefits Achieved

    A consolidated view of business and data needs and the environment in which the data strategy will be operationalized.

    An analysis of the feasibility and potential risks to the success of the data strategy.

    Activities

    4.1 Analyze gaps between current- and target-state

    4.2 Initiate initiative, milestone and RACI planning

    4.3 Working session with Data Strategy Owner

    Outputs

    Data Strategy Next Steps Action Plan

    Relevant data strategy related templates (example: data practice patterns, data role patterns)

    Initialized Data Strategy on-a-Page

    Further reading

    Build a Robust and Comprehensive Data Strategy

    Key to building and fostering a data-driven culture.

    ANALYST PERSPECTIVE

    Data Strategy: Key to helping drive organizational innovation and transformation

    "In the dynamic environment in which we operate today, where we are constantly juggling disruptive forces, a well-formulated data strategy will prove to be a key asset in supporting business growth and sustainability, innovation, and transformation.

    Your data strategy must align with the organization’s business strategy, and it is foundational to building and fostering an enterprise-wide data-driven culture."

    Crystal Singh,

    Director – Research and Advisory

    Info-Tech Research Group

    Our understanding of the problem

    This Research is Designed For:

    • Chief data officers (CDOs), chief architects, VPs, and digital transformation directors and CIOs who are accountable for ensuring data can be leveraged as a strategic asset of the organization.

    This Research Will Help You:

    • Put a strategy in place to ensure data is available, accessible, well integrated, secured, of acceptable quality, and suitably visualized to fuel decision making by the organizations’ executives.
    • Align data management plans and investments with business requirements and the organization’s strategic plans.
    • Define the relevant roles for operationalizing your data strategy.

    This Research Will Also Assist:

    • Data architects and enterprise architects who have been tasked with supporting the formulation or optimization of the organization’s data strategy.
    • Business leaders creating plans for leveraging data in their strategic planning and business processes.
    • IT professionals looking to improve the environment that manages and delivers data.

    This Research Will Help Them:

    • Get a handle on the current situation of data within the organization.
    • Understand how the data strategy and its resulting initiatives will affect the operations, integration, and provisioning of data within the enterprise.

    Executive Summary

    Situation

    • The volume and variety of data that organizations have been collecting and producing have been growing exponentially and show no sign of slowing down. At the same time, business landscapes and models are evolving, and users and stakeholders are becoming more and more data centric, with maturing and demanding expectations.

    Complication

    • As organizations pivot in response to industry disruptions and changing landscapes, a reactive and piecemeal approach leads to data architectures and designs that fail to deliver real and measurable value to the business.
    • Despite the growing focus on data, many organizations struggle to develop a cohesive business-driven strategy for effectively managing and leveraging their data assets.

    Resolution

    Formulate a data strategy that stitches all of the pieces together to better position you to unlock the value in your data:

    • Establish the business context and value: Identify key business drivers for executing on an optimized data strategy, build compelling and relevant use cases, understand your organization’s culture and appetite for data, and ensure you have well-articulated vision, principles, and goals for your data strategy.
    • Ensure you have a solid data foundation: Understand your current data environment, data management enablers, people, skill sets, roles, and structure. Know your strengths and weakness so you can optimize appropriately.
    • Formulate a sustainable data strategy: Round off your strategy with effective change management and communication for building and fostering a data-driven culture.

    Info-Tech Insight

    1. As the CDO or equivalent data leader in your organization, a robust and comprehensive data strategy is the number one tool in your toolkit for delivering on your mandate of creating measurable business value from data.
    2. A data strategy should never be formulated disjointed from the business. Ensure the data strategy aligns with the business strategy and supports the business architecture.
    3. Building and fostering a data-driven culture will accelerate and sustain adoption of, appetite for, and appreciation for data and hence drive the ROI on your various data investments.

    Why do you need a data strategy?

    Your data strategy is the vehicle for ensuring data is poised to support your organization’s strategic objectives.

    The dynamic marketplace of today requires organizations to be responsive in order to gain or maintain their competitive edge and place in their industry.

    Organizations need to have that 360-degree view of what’s going on and what’s likely to happen.

    Disruptive forces often lead to changes in business models and require organizations to have a level of adaptability to remain relevant.

    To respond, organizations need to make decisions and should be able to turn to their data to gain insights for informing their decisions.

    A well-formulated and robust data strategy will ensure that your data investments bring you the returns by meeting your organization’s strategic objectives.

    Organizations need to be in a position where they know what’s going on with their stakeholders and anticipate what their stakeholders’ needs are going to be.

    Data cannot be fully leveraged without a cohesive strategy

    Most organizations today will likely have some form of data management in place, supported by some of the common roles such as DBAs and data analysts.

    Most will likely have a data architecture that supports some form of reporting.

    Some may even have a chief data officer (CDO), a senior executive who has a seat at the C-suite table.

    These are all great assets as a starting point BUT without a cohesive data strategy that stitches the pieces together and:

    • Effectively leverages these existing assets
    • Augments them with additional and relevant key roles and skills sets
    • Optimizes and fills in the gaps around your current data management enablers and capabilities for the growing volume and variety of data you’re collecting
    • Fully caters to real, high-value strategic organizational business needs

    you’re missing the mark – you are not fully leveraging the incredible value of your data.

    Cross-industry studies show that on average, less than half of an organization’s structured data is actively used in making decisions

    And, less than 1% of its unstructured data is analyzed or used at all. Furthermore, 80% of analysts' time is spent simply discovering and preparing, data with over 70% of employees having access to data they should not. Source: HBR, 2017

    Organizational drivers for a data strategy

    Your data strategy needs to align with your organizational strategy.

    Main Organizational Strategic Drivers:

    1. Stakeholder Engagement/Service Excellence
    2. Product and Service Innovations
    3. Operational Excellence
    4. Privacy, Risk, and Compliance Management

    “The companies who will survive and thrive in the future are the ones who will outlearn and out-innovate everyone else. It is no longer ‘survival of the fittest’ but ‘survival of the smartest.’ Data is the element that both inspires and enables this new form of rapid innovation.– Joel Semeniuk, 2016

    A sound data strategy is the key to unlocking the value in your organization’s data.

    Data should be at the foundation of your organization’s evolution.

    The transformational insights that executives are constantly seeking to leverage can be unlocked with a data strategy that makes high-quality, well-integrated, trustworthy, relevant data readily available to the business users who need it.

    Whether hoping to gain a better understanding of your business, trying to become an innovator in your industry, or having a compliance and regulatory mandate that needs to be met, any organization can get value from its data through a well-formulated, robust, and cohesive data strategy.

    According to a leading North American bank, “More than one petabyte of new data, equivalent to about 1 million gigabytes” is entering the bank’s systems every month. – The Wall Street Journal, 2019

    “Although businesses are at many different stages in unlocking the power of data, they share a common conviction that it can make or break an enterprise.”– Jim Love, ITWC CIO and Chief Digital Officer, IT World Canada, 2018

    Data is a strategic organizational asset and should be treated as such

    The expression “Data is an asset” or any other similar sentiment has long been heard.

    With such hype, you would have expected data to have gotten more attention in the boardrooms. You would have expected to see its value reflected on financial statements as a result of its impact in driving things like acquisition, retention, product and service development and innovation, market growth, stakeholder satisfaction, relationships with partners, and overall strategic success of the organization.

    The time has surely come for data to be treated as the asset it is.

    “Paradoxically, “data” appear everywhere but on the balance sheet and income statement.”– HBR, 2018

    “… data has traditionally been perceived as just one aspect of a technology project; it has not been treated as a corporate asset.”– “5 Essential Components of a Data Strategy,” SAS

    According to Anil Chakravarthy, who is the CEO of Informatica and has a strong vantage point on how companies across industries leverage data for better business decisions, “what distinguishes the most successful businesses … is that they have developed the ability to manage data as an asset across the whole enterprise.”– McKinsey & Company, 2019

    How data is perceived in today’s marketplace

    Data is being touted as the oil of the digital era…

    But just like oil, if left unrefined, it cannot really be used.

    "Data is the new oil." – Clive Humby, Chief Data Scientist

    Source: Joel Semeniuk, 2016

    Enter your data strategy.

    Data is being perceived as that key strategic asset in your organization for fueling innovation and transformation.

    Your data strategy is what allows you to effectively mine, refine, and use this resource.

    “The world’s most valuable resource is no longer oil, but data.”– The Economist, 2017

    “Modern innovation is now dependent upon this data.”– Joel Semeniuk, 2016

    “The better the data, the better the resulting innovation and impact.”– Joel Semeniuk, 2016

    What is it in it for you? What opportunities can data help you leverage?

    GOVERNMENT

    Leveraging data as a strategic asset for the benefit of citizens.

    • The strategic use of data can enable governments to provide higher-quality services.
    • Direct resources appropriately and harness opportunities to improve impact.
    • Make better evidence-informed decisions and better understand the impact of programs so that funds can be directed to where they are most likely to deliver the best results.
    • Maintain legitimacy and credibility in an increasingly complex society.
    • Help workers adapt and be competitive in a changing labor market.
    • A data strategy would help protect citizens from the misuse of their data.

    Source: Privy Council Office, Government of Canada, 2018

    What is it in it for you? What opportunities can data help you leverage?

    FINANCIAL

    Leveraging data to boost traditional profit and loss levers, find new sources of growth, and deliver the digital bank.

    • One bank used credit card transactional data (from its own terminals and those of other banks) to develop offers that gave customers incentives to make regular purchases from one of the bank’s merchants. This boosted the bank’s commissions, added revenue for its merchants, and provided more value to the customer (McKinsey & Company, 2017).
    • In terms of enhancing productivity, a bank used “new algorithms to predict the cash required at each of its ATMs across the country and then combined this with route-optimization techniques to save money” (McKinsey & Company, 2017).

    A European bank “turned to machine-learning algorithms that predict which currently active customers are likely to reduce their business with the bank.” The resulting understanding “gave rise to a targeted campaign that reduced churn by 15 percent” (McKinsey & Company, 2017).

    A leading Canadian bank has built a marketplace around their data – they have launched a data marketplace where they have productized the bank’s data. They are providing data – as a product – to other units within the bank. These other business units essentially represent internal customers who are leveraging the product, which is data.

    Through the use of data and advanced analytics, “a top bank in Asia discovered unsuspected similarities that allowed it to define 15,000 microsegments in its customer base. It then built a next-product-to-buy model that increased the likelihood to buy three times over.” Several sets of big data were explored, including “customer demographics and key characteristics, products held, credit-card statements, transaction and point-of-sale data, online and mobile transfers and payments, and credit-bureau data” (McKinsey & Company, 2017).

    What is it in it for you? What opportunities can data help you leverage?

    HEALTHCARE

    Leveraging data and analytics to prevent deadly infections

    The fifth-largest health system in the US and the largest hospital provider in California uses a big data and advanced analytics platform to predict potential sepsis cases at the earliest stages, when intervention is most helpful.

    Using the Sepsis Bio-Surveillance Program, this hospital provider monitors 120,000 lives per month in 34 hospitals and manages 7,500 patients with potential sepsis per month.

    Collecting data from the electronic medical records of all patients in its facilities, the solution uses natural language processing (NLP) and a rules engine to continually monitor factors that could indicate a sepsis infection. In high-probability cases, the system sends an alarm to the primary nurse or physician.

    Since implementing the big data and predictive analytics system, this hospital provider has seen a significant improvement in the mortality and the length of stay in ICU for sepsis patients.

    At 28 of the hospitals which have been on the program, sepsis mortality rates have dropped an average of 5%.

    With patients spending less time in the ICU, cost savings were also realized. This is significant, as sepsis is the costliest condition billed to Medicare, the second costliest billed to Medicaid and the uninsured, and the fourth costliest billed to private insurance.

    Source: SAS, 2019

    What is it in it for you? What opportunities can data help you leverage?

    RETAIL

    Leveraging data to better understand customer preferences, predict purchasing, drive customer experience, and optimize supply and demand planning.

    Netflix is an example of a big brand that uses big data analytics for targeted advertising. With over 100 million subscribers, the company collects large amounts of data. If you are a subscriber, you are likely familiar with their suggestions messages of the next series or movie you should catch up on. These suggestions are based on your past search data and watch data. This data provides Netflix with insights into your interests and preferences for viewing (Mentionlytics, 2018).

    “For the retail industry, big data means a greater understanding of consumer shopping habits and how to attract new customers.”– Ron Barasch, Envestnet | Yodlee, 2019

    The business case for data – moving from platitudes to practicality

    When building your business case, consider the following:

    • What is the most effective way to communicate the business case to executives?
    • How can CDOs and other data leaders use data to advance their organizations’ corporate strategy?
    • What does your data estate look like? Are you looking to leverage and drive value from your semi-structured and unstructured data assets?
    • Does your current organizational culture support a data-driven one? Does the organization have a history of managing change effectively?
    • How do changing privacy and security expectations alter the way businesses harvest, save, use, and exchange data?

    “We’re the converted … We see the value in data. The battle is getting executive teams to see it our way.”– Ted Maulucci, President of SmartONE Solutions Inc. IT World Canada, 2018

    Where do you stack up? What is your current data management maturity?

    Info-Tech’s IT Maturity Ladder denotes the different levels of maturity for an IT department and its different functions. What is the current state of your data management capability?

    Innovator - Transforms the Business. Business Partner - Expands the Business. Trusted Operator - Optimizes the Business. Firefighter - Supports the Business. Unstable - Struggles to Support.

    Info-Tech Insight

    You are best positioned to successfully execute on a data strategy if you are currently at or above the Trusted Operator level. If you find yourself still at the Unstable or Firefighter stage, your efforts are best spent on ensuring you can fulfill your day-to-day data and data management demands. Improving this capability will help build a strong data management foundation.

    Guiding principles of a data strategy

    Value of Clearly Defined Data Principles

    • Guiding principles help define the culture and characteristics of your practice by describing your beliefs and philosophy.
    • Guiding principles act as the heart of your data strategy, helping to shape initiative plans and day-to-day behaviors related to the use and treatment of the organization’s data assets.

    “Organizational culture can accelerate the application of analytics, amplify its power, and steer companies away from risky outcomes.”– McKinsey, 2018

    Build a Robust and Comprehensive Data Strategy

    Business Strategy and Current Environment connect with the Data Strategy. Data Strategy includes: Organizational Drivers and Data Value, Data Strategy Objectives and Guiding Principles, Data Strategy Vision and Mission, Data Strategy Roadmap, People: Roles and Organizational Structure, Data Culture and Data Literacy, Data Management and Tools, Risk and Feasibility.

    Follow Info-Tech’s methodology for effectively leveraging the value out of your data

    Some say it’s the new oil. Or the currency of the new business landscape. Others describe it as the fuel of the digital economy. But we don’t need platitudes — we need real ways to extract the value from our data. – Jim Love, CIO and Chief Digital Officer, IT World Canada, 2018

    1. Business Context. 2. Data and Resources Foundation. 3. Effective Data Strategy

    Our practical step-by-step approach helps you to formulate a data strategy that delivers business value.

    1. Establish Business Context and Value: In this phase, you will determine and substantiate the business drivers for optimizing the data strategy. You will identify the business drivers that necessitate the data strategy optimization and examine your current organizational data culture. This will be key to ensuring the fruits of your optimization efforts are being used. You will also define the vision, mission, and guiding principles and build high-value use cases for the data strategy.
    2. Ensure You Have a Solid Data and Resources Foundation: This phase will help you ensure you have a solid data and resources foundation for operationalizing your data strategy. You will gain an understanding of your current environment in terms of data management enablers and the required resources portfolio of key people, roles, and skill sets.
    3. Formulate a Sustainable Data Strategy: In this phase, you will bring the pieces together for formulating an effective data strategy. You will evaluate and prioritize the use cases built in Phase 1, which summarize the alignment of organizational goals with data needs. You will also create your strategic plan, considering change management and communication.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks are used throughout all four options.

    Adopt Change Management Practices and Succeed at IT Organizational Redesign

    • Buy Link or Shortcode: {j2store}393|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Organizational Design
    • Parent Category Link: /organizational-design

    Organizational redesigns frequently fail when it comes to being executed. This leads to:

    • The loss of critical talent and institutional knowledge.
    • An inability to deliver on strategic goals and objectives.
    • Financial and time losses to the organization.

    Organizational redesigns fail during implementation primarily because they do not consider the change management required to succeed.

    Our Advice

    Critical Insight

    Implementing your organizational design with good change management practices is more important than defining the new organizational structure.

    Implementation is often negatively impacted due to:

    • Employees not understanding the need to redesign the organizational structure or operating model.
    • Employees not being communicated with or engaged throughout the process, which can cause chaos.
    • Managers not being prepared or trained to have difficult conversations with employees.

    Impact and Result

    When good change management practices are used and embedded into the implementation process:

    • Employees feel respected and engaged, reducing turnover and productivity loss.
    • The desired operating structure can be implemented faster, enabling the delivery of strategic objectives.
    • Gaps and disorganization are avoided, saving the organization time and money.

    Invest change management for your IT redesign.

    Adopt Change Management Practices and Succeed at IT Organizational Redesign Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Adopt Change Management Practices and Succeed at IT Organizational Redesign Deck – Succeed at implementing your IT organizational structure by adopting the necessary change management practices.

    The best IT organizational structure will still fail to be implemented if the organization does not leverage and use good change management practices. Consider practices such as aligning the structure to a meaningful vision, preparing leadership, communicating frequently, including employees, and measuring adoption to succeed at organizational redesign implementation.

    • Adopt Change Management Practices and Succeed at IT Organizational Redesign Storyboard

    2. IT Organizational Redesign Pulse Survey Template – A survey template that can be used to measure the success of your change management practices during organizational redesign implementation.

    Taking regular pulse checks of employees and managers during the transition will enable IT Leaders to focus on the right practices to enable adoption.

    • IT Organizational Redesign Pulse Survey Template
    [infographic]

    Further reading

    Adopt Change Management Practices & Succeed at IT Organizational Redesign

    The perfect IT organizational structure will fail to be implemented if there is no change management.

    Analyst Perspective

    Don’t doom your organizational redesign efforts

    The image contains a picture of Brittany Lutes.

    After helping hundreds of organizations across public and private sector industries redesign their organizational structure, we can say there is one thing that will always doom this effort: A failure to properly identify and implement change management efforts into the process.

    Employees will not simply move forward with the changes you suggest just because you as the CIO are making them. You need to be prepared to describe the individual benefits each employee can expect to receive from the new structure. Moreover, it has to be clear why this change was needed in the first place. Redesign efforts should be driven by a clear need to align to the organization’s vision and support the various objectives that will need to take place.

    Most organizations do a great job defining a new organizational structure. They identify a way of operating that tells them how they need to align their IT capabilities to deliver on strategic objectives. What most organizations do poorly is invest in their people to ensure they can adopt this new way of operating.

    Brittany Lutes
    Research Director, Organizational Transformation

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    Organizational redesigns frequently fail when it comes to being executed. This leads to:

    • The loss of critical talent and institutional knowledge.
    • An inability to deliver on strategic goals and objectives.
    • Financial and time losses to the organization.

    Organizational redesigns fail during implementation primarily because they do not consider the change management required to succeed.

    Implementation of the organizational redesign is often impacted when:

    • Employees do not understand the need to redesign the organizational structure or operating model.
    • Employees are not communicated with or engaged throughout the process, which can cause chaos.
    • Managers are not prepared or trained to have difficult conversations with employees.

    Essentially, implementation is impacted when change management is not included in the redesign process.

    When good change management practices are used and embedded into the implementation process:

    • Employees feel respected and engaged, reducing turnover and productivity loss.
    • The desired operating structure can be implemented faster, enabling the delivery of strategic objectives.
    • Gaps and disorganization are avoided, saving the organization time and money.

    Invest in change management for your IT redesign.

    Info-Tech Insight

    Implementing your organizational design with good change management practices is more important than defining the new organizational structure.

    Your challenge

    This research enables organizations to succeed at their organizational redesign:

    • By implementing the right change management practices. These methods prevent:
      • The loss of critical IT employees who will voluntarily exit the organization.
      • Employees from creating rumors that will be detrimental to the change.
      • Confusion about why the change was needed and how it will benefit the strategic objectives the organization is seeking to achieve.
      • Spending resources (time, money, and people) on the initiative longer than is necessary.

    McKinsey reported less than 25% of organizational redesigns are successful. Which is worse than the average change initiative, which has a 70% failure rate.

    Source: AlignOrg, 2020.

    The value of the organizational redesign efforts is determined by the percentage of individuals who adopt the changes and operate in the desired way of working.

    When organizations properly use organizational design processes, they are:

    4× more likely to delight customers

    13× more effective at innovation

    27× more likely to retain employees

    Source: The Josh Bersin Company, 2022

    Common obstacles

    These barriers make implementing an organizational redesign difficult to address for many organizations:

    • You communicated the wrong message to the wrong audience at the wrong time. Repeatedly.
    • There is a lack of clarity around the drivers for an organizational redesign.
    • A readiness assessment was not completed ahead of the changes.
    • There is no flexibility built into the implementation approach.
    • The structure is not aligned to the strategic goals of IT and the organization.
    • IT leadership is not involved in their staff’s day-to-day activities, making it difficult to suggest realistic changes.

    Don’t doom your organizational redesign with poor change management

    Only 17% of frontline employees believe the lines of communication are open.

    Source: Taylor Reach Group, 2019

    43% Percentage of organizations that are ineffective at the organizational design methodology.

    Source: The Josh Bersin Company, 2022.

    Change management is a must for org design

    Forgetting change management is the easiest way to fail at redesigning your IT organizational structure

    • Change management is not a business transformation.
    • Change management consists of the practices and approaches your organization takes to support your people through a transformation.
    • Like governance, change management happens regardless of whether it is planned or ad hoc.
    • However, good change management will be intentional and agile, using data to help inform the next action steps you will take.
    • Change management is 100% focused on the people and how to best support them as they learn to understand the need for the change, what skills they must have to support and adopt the change, and eventually to advocate for the change.

    "Organizational transformation efforts rarely fail because of bad design, but rather from lack of sufficient attention to the transition from the old organization to the new one."

    – Michael D. Watkins & Janet Spencer. ”10 Reason Why Organizational Change Fails.”

    Info-Tech’s approach

    Redesigning the IT structure depends on good change management

    The image contains a screenshot of Info-Tech's approach, and good change management.

    Common changes in organizational redesigns

    Entirely New Teams

    Additions, reductions, or new creations. The individuals that make up a functional team can shift.

    New Team Members

    As roles become defined, some members might be required to shift and join already established groups.

    New Responsibilities

    The capabilities individuals will be accountable or responsible for become defined.

    New Ways of Operating

    From waterfall to Agile, collaborative to siloed, your operating model provides insight into the ways roles will engage one another.

    Top reasons organizational redesigns fail

    1. The rationale for the redesign is not clear.
    2. Managers do not have the skills to lead their teams through a change initiative like organizational redesign.
    3. You communicated the wrong messages at the wrong times to the wrong audiences.
    4. Frontline employees were not included in the process.
    5. The metrics you have to support the initiative are countering one another – if you have metrics at all.
    6. Change management and project management are being treated interchangeably.

    Case study: restructuring to reduce

    Clear Communication & Continuous Support

    Situation

    On July 26th, 2022, employees at Shopify – an eCommerce platform – were communicated to by their CEO that a round of layoffs was about to take place. Effective that day, 1,000 employees or 10% of the workforce would be laid off.

    In his message to staff, CEO Tobi Lutke admitted he had assumed continual growth in the eCommerce market when the COVID-19 pandemic forced many consumers into online shopping. Unfortunately, it was clear that was not the case.

    In his communications, Tobi let people know what to expect throughout the day, and he informed people what supports would be made available to those laid off. Mainly, employees could expect to see a transparent approach to severance pay; support in finding new jobs through coaching, connections, or resume creation; and ongoing payment for new laptops and internet to support those who depend on this connectivity to find new jobs.

    Results

    Unlike many of the other organizations (e.g. Wayfair and Peloton) that have had to conduct layoffs in 2022, Shopify had a very positive reaction. Many employees took to LinkedIn to thank their previous employer for all that they had learned with the organization and to ask their network to support them in finding new opportunities. Below is a letter from the CEO:

    The image contains a screenshot of a letter from the CEO.

    Shopify, 2022.
    Forbes, 2022.

    Aligned to a Meaningful Vision

    An organizational redesign must be aligned to a clear and meaningful vision of the organization.

    Define the drivers for organizational redesign

    And align the structure to execute on those drivers.

    • Your structure should follow your strategy. However, 83% of people in an organization do not fully understand the strategy (PWC, 2017).
    • How can employees be expected to understand why the IT organization needs to be restructured to meet a strategy if the strategy itself is still vague and unclear?
    • When organizations pursue a structural redesign, there are often a few major reasons:
      • Digital/organizational transformation
      • New organizational strategy
      • Acquisition or growth of products, services, or capabilities
      • The need to increase effectiveness
      • Cost savings
    • Creating a line of sight for your employees and leadership team will increase the likelihood that they want to adopt this structure.

    “The goal is to align your operating model with your strategy, so it directly supports your differentiating capabilities.”

    – PWC, 2017.

    How to align structure to strategy

    Recommended action steps:

    • Describe the end state of the organizational structure and how long you anticipate it will take to reach that state. It's important that employees be able to visualize the end state of the changes being made.
    • Ensure people understand the vision and goals of the IT organization. Are you having discussions about these? Are managers discussing these? Do people understand that their day-to-day job is intended to support those goals?
    • Create a visual:
      • The goals of the organization → align to the initiatives IT → which require this exact structure to deliver.
    • Do not assume people are willing to move forward with this vision. If people are not willing, assess why and determine if there are benefits specific to the individual that can support them in adopting the future state.
    • Define and communicate the risks of not making the organizational structure changes.

    Info-Tech Insight

    A trending organizational structure or operating model should never be the driver for an organizational redesign.

    IT Leaders Are Not Set Up To Succeed

    Empower these leaders to have difficult conversations.

    Lacking key leadership capabilities in managers

    Technical leaders are common in IT, but people leaders are necessary during the implementation of an organizational structure.

    • Managers are important during a transformational change for many reasons:
      • Managers play a critical role in being able to identify the skill gaps in employees and to help define the next steps in their career path.
      • After the sponsor (CIO) has communicated to the group the what and the why, the personal elements of the change fall to managers.
      • Managers’ displays of disapproval for the redesign can halt the transformation.
    • However, many managers (37%) feel uncomfortable talking to employees and providing feedback if they think it will elicit a negative response (Taylor Reach Group, 2019).
    • Unfortunately, organizational redesign is known for eliciting negative responses from employees as it generates fears around the unknown.
    • Therefore, managers must be able to have conversations with employees to further the successful implementation and adoption of the structure.

    “Successful organizational redesign is dependent on the active involvement of different managerial levels."

    – Marianne Livijn, “Managing Organizational Redesign: How Organizations Relate Macro and Micro Design.”

    They might be managers, but are they leaders?

    Recommended action steps:

    • Take time to speak with managers one on one and understand their thoughts, feelings, and understanding of the change.
    • Ensure that middle-managers have an opportunity to express the benefits they believe will be realized through the proposed changes to the organizational chart.
    • Provide IT leaders with leadership training courses (e.g. Info-Tech’s Leadership Programs).
    • Do not allow managers to start sharing and communicating the changes to the organizational structure if they are not demonstrating support for this change. Going forward, the group is all-in or not, but they should never demonstrate not being bought-in when speaking to employees.
    • Ensure IT leaders want to manage people, not just progress to a management position because they cannot climb a technical career ladder within the proposed structure. Provide both types of development opportunities to all employees.
    • Reduce the managers’ span of control to ensure they can properly engage all direct reports and there is no strain on the managers' time.

    Info-Tech Insight

    47% of direct reports do not agree that their leader is demonstrating the change behaviors. Often, a big reason is that many middle-managers do not understand their own attitudes and beliefs about the change.

    Source: McKinsey & Company “How Do We Manage the Change Journey?”

    Check out Info-Tech’s Build a Better Manager series to support leadership development

    These blueprints will help you create strong IT leaders who can manage their staff and themselves through a transformation.

    Build a Better Manager: Basic Management Skills

    Build a Better Manager: Personal Leadership

    Build a Better Manager: Manage Your People

    Build Successful Teams

    Transparent & Frequent Communication

    Provide employees with several opportunities to hear information and ask questions about the changes.

    Communication must be done with intention

    Include employees in the conversation to get the most out of your change management.

    • Whether it is a part of a large transformation or a redesign to support a specific goal of IT, begin thinking about how you will communicate the anticipated changes and who you will communicate those changes to right away.
    • The first group of people who need to understand why this initiative is important are the other IT leaders. If they are not included in the process and able to understand the foundational drivers of the initiative, you should not continue to try and gain the support of other members within IT.
    • Communication is critical to the success of the organizational redesign.
    • Communicating the right information at the right time will make the difference between losing critical talent and emerging from the transition successfully.
    • The sponsor of this redesign initiative must be able to communicate the rationale of the changes to the other members of leadership, management, and employees.
    • The sponsor and their change management team must then be prepared to accept the questions, comments, and ideas that members of IT might have around the changes.

    "Details about the new organization, along with details of the selection process, should be communicated as they are finalized to all levels of the organization.”

    – Courtney Jackson, “7 Reasons Why Organizational Structures Fail.”

    Two-way communication is necessary

    Recommended action steps:

    • Don't allow rumors to disrupt this initiative – be transparent with people as early as possible.
    • If the organizational restructure will not result in a reduction of staff – let them know! If someone's livelihood (job) is on the line, it increases the likelihood of panic. Let's avoid panic.
    • Provide employees with an opportunity to voice their concerns, questions, and recommendations – so long as you are willing to take that information and address it. Even if the answer to a recommendation is "no" or the answer to a question is "I don't know, but I will find out," you've still let them know their voice was heard in the process.
    • As the CIO, ensure that you are the first person to communicate the changes. You are the sponsor of this initiative – no one else.
    • Create communications that are clear and understandable. Imagine someone who does not work for your organization is hearing the information for the first time. Would they be able to comprehend the changes being suggested?
    • Conduct a pulse survey on the changes to identify whether employees understand the changes and feel heard by the management team.

    Info-Tech Insight

    The project manager of the organizational redesign should not be the communicator. The CIO and the employees’ direct supervisor should always be the communicators of key change messages.

    Communication spectrum

    An approach to communication based on the type of redesign taking place

    ← Business-Mandated Organizational Redesign

    Enable Alignment & Increased Effectiveness

    IT-Driven & Strategic Organizational Redesign →

    Reduction in roles

    Cost savings

    Requires champions who will maintain employee morale throughout

    Communicate with key individuals ahead of time

    Restructure of IT roles

    Increase effectiveness

    Lean on managers & supervisors to provide consistent messaging

    Communicate the individual benefits of the change

    Increase in IT Roles

    Alignment to business model

    Frequent and ongoing communication from the beginning

    Collaborate with IT groups for input on best structure

    Include Employees in the Redesign Process

    Stop talking at employees and ensure they are involved in the changes impacting their day-to-day lives.

    Employees will enable the change

    Old-school approaches to organizational redesign have argued employee engagement is a hinderance to success – it’s not.

    • We often fail to include the employees most impacted by a restructuring in the redesign process. As a result, one of the top reasons employees do not support the change is that they were not included in the change.
    • A big benefit of including employees in the process is it mitigates the emergence of a rumor mill.
    • Moreover, being open to suggestions from staff will help the transformation succeed.
    • Employees can best describe what this transition might entail on a day-to-day basis and the supports they will require to succeed in moving from their current state to their future state.
      • CIOs and other IT leaders are often too far removed from the day-to-day to best describe what will or will not work.
    • When employees feel included in the process, they are more likely to feel like they had a choice in what and how things change.

    "To enlist employees, leadership has to be willing to let things get somewhat messy, through intensive, authentic engagement and the involvement of employees in making the transformation work."

    – Michael D. Watkins & Janet Spencer, “10 Reasons Why Organizational Change Fails.”

    Empowering employees as change agents

    Recommended action steps:

    • Do not tell employees what benefits they will gain from this new change. Instead, ask them what benefits they anticipate.
    • Ask employees what challenges they anticipate, and identify actions that can be taken to minimize those challenges.
    • Identify who the social influencers are in the organization by completing an influencer map. The informal social networks in your organization can be powerful drivers of change when the right individuals are brought onboard.
    • Create a change network using those influencers. The change network includes individuals who represent all levels within the organization and can represent the employee perspective. Use them to help communicate the change and identify opportunities to increase the success of adoption: “Engaging influencers in change programs makes them 3.8 times more likely to succeed," (McKinsey & Company, 2020).
    • Ask members of the change network to identify possible resistors of the new IT structure and inform you of why they might be resisting the changes.

    Info-Tech Insight

    Despite the persistent misconceptions, including employees in the process of a redesign reduces uncertainty and rumors.

    Monitor employee engagement & adoption throughout the redesign

    Only 22% of organizations include the employee experience as a part of the design process

    – The Josh Bersin Company, 2022.
    1 2 3
    Monitor IT Employee Experience

    When Prosci designed their Change Impact Analysis, they identified the ways in which roles will be impacted across 10 different components:

    • Location
    • Process
    • Systems
    • Tools
    • Job roles
    • Critical behaviors
    • Mindset/attitudes/beliefs
    • Reporting structure
    • Performance reviews
    • Compensation

    Engaging employees in the process so that they can define how their role might be impacted across these 10 categories not only empowers the employee, but also ensures they are a part of the process.

    Source: Prosci, 2019.

    Conduct an employee pulse survey

    See the next slide for more information on how to create and distribute this survey.

    Employee Pulse Survey

    Conduct mindful and frequent check-ins with employees

    Process to conduct survey:

    1. Using your desired survey solution (e.g. MS Forms, SurveyMonkey, Qualtrics) input the questions into the survey and send to staff. A template of the survey in MS Forms is available here: IT Organizational Redesign Pulse Survey Template.
    2. When sending to staff, ensure that the survey is anonymous and reinforce this message.
    3. Leverage the responses from the survey to learn where there might be opportunities to improve the transformation experience (aligning the structure to the vision, employee inclusion, communication, or managerial support for the change). Review the recommended action steps in this research set for help.
    4. This assessment is intended for frequent but purposeful use. Only send out the survey when you have taken actions in order to improve adoption of the change or have provided communications. The Employee Pulse Survey should be reevaluated on a regular basis until adoption across all four categories reaches the desired state (80-100% adoption is recommended).

    The image contains a screenshot of the employee pulse survey.

    Define Key Metrics of Adoption & Success

    Metrics have a dual benefit of measuring successful implementation and meeting the original drivers.

    Measuring the implementation is a two-pronged approach

    Both employee adoption and the transformation of the IT structure need to be measured during implementation

    • Organizations that are going through any sort of transformation – such as organizational redesign – should be measuring whether they are successfully on track to meet their target or have already met that goal.
    • Throughout the organizational structure transition, a major factor that will impact the success of that goal is employee willingness to move forward with the changes.
    • However, rather than measuring these two components using hard data, we rely on gut checks that let us know if we think we are on track to gaining adoption and operating in the desired future state.
    • Given how fluid employees and their responses to change can be, conducting a pulse survey at a regular (but strategically identified) interval will provide insight into where the changes will be adopted or resisted.

    “Think about intentionally measuring at the moments in the change storyline where feedback will allow leaders to make strategic decisions and interventions.”

    – Bradley Wilson, “Employee Survey Questions: The Ultimate Guide.”

    Report that the organizational redesign for IT was a success

    Recommended action steps:

    • Create clear metrics related to how you will measure the success of the organizational redesign, and communicate those metrics to people. Ensure the metrics are not contrary to the goals of other initiatives or team outcomes.
    • Create one set of metrics related to adoption and another set of metrics tied to the successful completion of the project objective.
      • Are people changing their attitudes and behaviors to reflect the required outcome?
      • Are you meeting the desired outcome of the organizational redesign?
    • Use the metrics to inform how you move forward. Do not attempt the next phase of the organizational transformation before employees have clearly indicated a solid understanding of the changes.
    • Ensure that any metrics used to measure success will not negatively interfere with another team’s progress. The metrics of the group need to work together, not against each other.

    Info-Tech Insight

    Getting 100% adoption from employees is unlikely. However, if employee adoption is not sitting in the 80-90% range, it is not recommended that you move forward with the next phase of the transformation.

    Example sustainment metrics

    Driver Goal Measurement Key Performance Indicator (KPI)
    Workforce Challenges and Increased Effectiveness Employee Engagement The change in employee engagement before, during, and after the new organizational structure is communicated and implemented.
    Increased Effectiveness Alignment of Demand to Resources Does your organization have sufficient resources to meet the demands being placed on your IT organization?
    Increased Effectiveness and Workforce Challenges Role Clarity An increase in role clarity or a decrease in role ambiguity.

    Increased Effectiveness

    Reduction in Silos

    Employee effectiveness increases by 27% and efficiency by 53% when provided with role clarity (Effectory, 2019).
    Increased Effectiveness Reduction in Silos Frequency of communication channels created (scrum meetings, Teams channels, etc.) specific to the organizational structure intended to reduce silos.
    Operating in a New Org. Structure Change Adoption Rate The percentage of employees who have adopted their defined role within the new organizational chart in 3-, 6-, and 12-month increments.
    Workforce Challenges Turnover Rate The number of employees who voluntarily leave the organization, citing the organizational redesign.
    Workforce Challenges Active Resistors The number of active resistors anticipated related to the change in organizational structure versus the number of active resistors that actually present themselves to the organizational restructuring.
    New Capabilities Needed Gap in Capability Delivery The increase in effectiveness in delivering on new capabilities to the IT organization.
    Operating in a New Org. Structure Change Adoption Rate The percentage of employees who found the communication around the new organizational structure clear, easy to understand, and open to expressing feedback.
    Lack of Business Understanding or Increased Effectiveness Business Satisfaction with IT Increase in business satisfaction toward IT products and services.
    Workforce Challenges Employee Performance Increase in individual employee performances on annual/bi-annual reviews.
    Adoption Pulse Assessment Increase in overall adoption scores on pulse survey.
    Adoption Communication Effectiveness Reduction in the number of employees who are still unsure why the changes are required.
    Adoption Leadership Training Percentage of members of leadership attending training to support their development at the managerial level.

    Change Management ≠ Project Management

    Stop treating the two interchangeably.

    IT organizations struggle to mature their OCM capabilities

    Because frankly they didn’t need it

    • Change management is all about people.
    • If the success of your organization is dependent on this IT restructuring, it is important to invest the time to do it right.
    • This means it should not be something done off the side of someone's desk.
    • Hire a change manager or look to roles that have a responsibility to deliver on organizational change management.
    • While project success is often measured by if it was delivered on time, on budget, and in scope, change management is adaptable. It can move backward in the process to secure people's willingness to adopt the required behaviors.
    • Strategic organizations recognize it’s not just about pushing an initiative or project forward. It’s about making sure that your employees are willing to move that initiative forward too.
    • A major organizational transformation initiative like restructuring requires you lean into employee adoption and buy-in.

    “Only if you have your employees in mind can you implement change effectively and sustainably.”

    – Creaholic Pulse Feedback, “Change Management – And Why It Has to Change.”

    Take the time to educate & communicate

    Recommended action steps:

    • Do not treat change management and project management as synonymous.
    • Hire a change manager to support the organizational redesign transformation.
    • Invest the resources (time, money, people) that can support the change and enable its success. This can look like:
      • Training and development.
      • Hiring the right people.
      • Requesting funds during the redesign process to support the transition.
    • Create a change management plan – and be willing to adjust the timelines or actions of this plan based on the feedback you receive from employees.
    • Implement the new organizational structure in a phased approach. This allows time to receive feedback and address any fears expressed by staff.

    Info-Tech Insight

    OCM is often not included or used due to a lack of understanding of how it differs from project management.

    And an additional five experts across a variety of organizations who wish to remain anonymous.

    Research Contributors and Experts

    Info-Tech Research Group

    Amanda Mathieson Research Director Heather Munoz Executive Counselor Valence Howden Principal Research Director
    Ugbad Farah Research Director Lisa Hager Duncan Executive Counselor Alaisdar Graham Executive Counselor
    Carlene McCubbin Practice Lead

    Related Info-Tech Research

    Redesign Your IT Organizational Structure

    Build a Strategic IT Workforce Plan

    Implement a New IT Organizational Structure

    • Organizational redesign is only as successful as the process leaders engage in.
    • Benchmarking your organizational redesign to other organizations will not work.
    • You could have the best IT employees in the world, but if they aren’t structured well, your organization will still fail in reaching its vision.
    • A well-defined strategic workforce plan (SWP) isn’t just a nice-to-have, it’s a must-have.
    • Integrate as much data as possible into your workforce plan to best prepare you for the future. Without knowledge of your future initiatives, you are filling hypothetical holes.
    • To be successful, you need to understand your strategic initiatives, workforce landscape, and external and internal trends.
    • Organizational design implementations can be highly disruptive for IT staff and business partners. Without a structured approach, IT leaders may experience high turnover, decreased productivity, and resistance to change.
    • CIOs walk a tightrope as they manage operational and emotional turbulence while aiming to improve business satisfaction with IT. Failure to achieve balance could result in irreparable failure.

    Bibliography

    Aronowitz, Steven, et al. “Getting Organizational Design Right,” McKinsey, 2015. Web.
    Ayers, Peg. “5 Ways to Engage Your Front-Line Staff.” Taylor Reach Group, 2019. Web.
    Bushard, Brian, and Carlie Porterfield. “Meta Reportedly Scales Down, Again – Here Are the Major US Layoffs This Year.” Forbes, September 28, 2022. Web.
    Caruci, Ron. “4 Organizational Design Issues that Most Leaders Misdiagnose.” Harvard Business Review, 2019.
    “Change Management – And Why It Has to Change.” Creaholic Pulse Feedback. Web.
    “Communication Checklist for Achieving Change Management.” Prosci, 27 Oct. 2022. Web.
    “Defining Change Impact.” Prosci. 29 May 2019. Web.
    “The Definitive Guide To Organization Design.” The Josh Bersin Company, 2022.
    Deshler, Reed. “Five Reasons Organizational Redesigns Fail to Deliver.” AlignOrg. 28 Jan. 2020. Web.
    The Fit for Growth Mini Book. PwC, 12 Jan. 2017.
    Helfand, Heidi. Dynamic Reteaming: The Art and Wisdom of Changing Teams. 2nd ed., O’Reilly Media, 2020.
    Jackson, Courtney. “7 Reasons Why Organizational Structures Fail.” Scott Madden Consultants. Web.
    Livijn, Marianne. Managing Organizational Redesign: How Organizations Relate Macro and Micro Design. Doctoral dissertation. Department of Management, Aarhus University, 2020.
    Lutke, Tobias. “Changes to Shopify’s Team.” Shopify. 26 July 2022.
    McKinsey & Company. “How Do We Manage the Change Journey?” McKinsey & Company.2020.
    Pijnacker, Lieke. “HR Analytics: Role Clarity Impacts Performance.” Effectory, 29 Sept. 2019. Web.
    Tompkins, Teri C., and Bruce G. Barkis. “Conspiracies in the Workplace: Symptoms and Remedies.” Graziadio Business Review, vol. 21, no. 1, 2021.Web.
    “Understanding Organizational Structures.” SHRM,2022.
    Watkins, Michael D., and Janet Spencer. “10 Reasons Why Organizational Change Fails.” I by IMD, 10 March 2021. Web.
    Wilson, Bradley. “Employee Survey Questions: The Ultimate Guide.” Perceptyx, 1 July 2020. Web.

    Increase Grant Application Success

    • Buy Link or Shortcode: {j2store}314|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $7,799 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Cost & Budget Management
    • Parent Category Link: /cost-and-budget-management
    • Writing grants has not been prioritized by the organization.
    • Your organization is unable to start, finish, and/or continue priority projects or initiatives as it does not have sufficient funds.
    • Grants are applied to in an ad hoc manner by employees who do not have sufficient time and resources to dedicate to the process.

    Our Advice

    Critical Insight

    There are three critical components to the grant application process:

    • Being strategic about the grant opportunities your organization chooses to pursue.
    • Dedicating sufficient time and resources to writing a competitive grant application.
    • Ensuring your organization will be able to adhere to the grant parameters if awarded the funding.

    Impact and Result

    • By leveraging Info-Tech’s methodology, your organization will strategically select, write, and submit competitive grant applications, securing additional funding sources to support the organization and the communities you serve.
    • This research can enhance the grant writing capabilities of the organization and ensure that every grant chosen aligns with your organizational priorities.
    • This blueprint will drive consensus on which grant applications should be prioritized by the organization, ensuring resourcing, feasibility, and significance are considered.

    Increase Grant Application Success Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should enhance your organization's grant application lifecycle and how you can increase the number of grants your organization is awarded. Review Info-Tech’s methodology and understand the four ways Info-Tech can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify Opportunities

    Identify grant funding opportunities that align with your organization's priorities. Ensure the programs, services, projects, and initiatives that align with these priorities can be financially supported by grant funding.

    • Increase Grant Application Success – Phase 1: Identify Opportunities
    • Grant Identification and Prioritization Tool for Organizations

    2. Grant Prioritization

    Prioritize applying for the grant opportunities that your organization identified. Be sure to consider the feasibility of implementing the project or initiative if your organization is awarded the grant.

    • Increase Grant Application Success – Phase 2: Grant Prioritization

    3. Write the Grant Application

    Write a competitive grant application that has been strategically developed and actively critiqued by various internal and external reviewers.

    • Increase Grant Application Success – Phase 3: Write the Grant Application
    • Grant Writing Checklist

    4. Submit the Grant Application

    Submit an exemplary grant application that meets the guidelines and expectations of the granting agency prior to the due date.

    • Increase Grant Application Success – Phase 4: Submit the Grant Application
    • Grant Follow-up Email Template

    Infographic

    Workshop: Increase Grant Application Success

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Determine Your Organization's Priorities

    The Purpose

    Determine the key priorities of your organization and identify grant funding opportunities that align with those priorities.

    Key Benefits Achieved

    Prevents duplicate grant applications from being submitted

    Ensures the grant and the organization's priorities are aligned

    Increases the success rate of grant applications

    Activities

    1.1 Discuss grant funding opportunities and their importance to the organization.

    1.2 Identify organizational priorities.

    Outputs

    An understanding of why grants are important to your organization

    A list of priorities being pursued by your organization

    2 Prioritize Grant Funding Opportunities

    The Purpose

    Identify potential grant funding opportunities that align with the projects/initiatives the organization would like to pursue. Prioritize these funding opportunities and identify which should take precedent based on resourcing, importance, likelihood of success, and feasibility.

    Key Benefits Achieved

    Generate a list of potential funding opportunities that can be revisited when resources allow

    Obtain consensus from your working group on which grants should be pursued based on how they have been prioritized

    Activities

    2.1 Develop a list of potential grant funding opportunities.

    2.2 Define the resource capacity your organization has to support the granting writing process.

    2.3 Discuss and prioritize grant opportunities

    Outputs

    A list of potential grant funding opportunities

    Realistic expectations of your organization's capacity to undertake the grant writing lifecycle

    Notes and priorities from your discussion on grant opportunities

    3 Sketch a Grant Application

    The Purpose

    Take the grant that was given top priority in the last section and sketch out a draft of what that application will look like. Think critically about the sketch and determine if there are opportunities to further clarify and demonstrate the goals of the grant application.

    Key Benefits Achieved

    A sketch ready to be developed into a grant application

    A critique of the sketch to ensure that the application will be well understood by the reviewers of your submission

    Activities

    3.1 Sketch the grant application.

    3.2 Perform a SWOT analysis of the grant sketch.

    Outputs

    A sketched version of the grant application ready to be drafted

    A SWOT analysis that critically examines the sketch and offers opportunities to enhance the application

    4 Prepare to Submit the Grant Application

    The Purpose

    Have the grant application actively critiqued by various internal and external individuals. This will increase the grant application's quality and generate understanding of the application submission and post-submission process.

    Key Benefits Achieved

    A list of individuals (internal and external) that can potentially review the application prior to submission

    Preparation for the submission process

    An understanding of why the opportunity to learn how to improve future grant applications is so important

    Activities

    4.1 Identify potential individuals who will review the draft of your grant application.

    4.2 Discuss next steps around the grant submission.

    4.3 Review grant writing best practices.

    Outputs

    A list of potential individuals who can be asked to review and critique the grant application

    An understanding of what the next steps in the process will be

    Knowledge of grant writing best practices

    Lead Strategic Decision Making With Service Portfolio Management

    • Buy Link or Shortcode: {j2store}397|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • There are no standardized processes for the intake of new ideas and no consistent view of the drivers needed to assess the value of these ideas.
    • IT is spending money on low-value services and doesn’t have the ability to understand and track value in order to prioritize IT investment.
    • CIOs are not trusted to drive innovation.

    Our Advice

    Critical Insight

    • The service portfolio empowers IT to be a catalyst in business strategy, change, and growth.
    • IT must drive value-based investment by understanding value of all services in the portfolio.
    • Organizations must assess the value of their services throughout their lifecycle to optimize business outcomes and IT spend.

    Impact and Result

    • Optimize IT investments by prioritizing services that provide more value to the business, ensuring that you do not waste money on low-value or out-of-date IT services.
    • Ensure that services are directly linked to business objectives, goals, and needs, keeping IT embedded in the strategic vision of the organization.
    • Enable the business to understand the impact of IT capabilities on business strategy.
    • Ensure that IT maintains a strategic and tactical view of the services and their value.
    • Drive agility and innovation by having a streamlined view of your business value context and a consistent intake of ideas.
    • Provide strategic leadership and create new revenue by understanding the relative value of new ideas vs. existing services.

    Lead Strategic Decision Making With Service Portfolio Management Research & Tools

    Start here – read the Executive Brief

    Service portfolio management enables organizations to become strategic value creators by establishing a dynamic view of service value. Understand the driving forces behind the need to manage services through their lifecycles.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish the service portfolio

    Establish and understand the service portfolio process by setting up the Service Portfolio Worksheet.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 1: Establish the Service Portfolio
    • Service Portfolio Worksheet

    2. Develop a value assessment framework

    Use the value assessment tool to assess services based on the organization’s context of value.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 2: Develop a Value Assessment Framework
    • Value Assessment Tool
    • Value Assessment Example Tool

    3. Manage intake and assessment of initiatives

    Create a centralized intake process to manage all new service ideas.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 3: Manage Intake and Assessment of Initiatives
    • Service Intake Form

    4. Assess active services

    Continuously validate the value of the existing service and determine the future of service based on the value and usage of the service.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 4: Assess Active Services

    5. Manage and communicate the service portfolio

    Communicate and implement the service portfolio within the organization, and create a mechanism to seek out continuous improvement opportunities.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 5: Manage and Communicate the Service Portfolio
    [infographic]

    Workshop: Lead Strategic Decision Making With Service Portfolio Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish the Service Portfolio

    The Purpose

    Establish and understand the service portfolio process by setting up the Service Portfolio Worksheet.

    Understand at a high level the steps involved in managing the service portfolio.

    Key Benefits Achieved

    Adapt the Service Portfolio Worksheet to organizational needs and create a plan to begin documenting services in the worksheet.

    Activities

    1.1 Review the Service Portfolio Worksheet.

    1.2 Adapt the Service Portfolio Worksheet.

    Outputs

    Knowledge about the use of the Service Portfolio Worksheet.

    Adapt the worksheet to reflect organizational needs and structure.

    2 Develop a Value Assessment Framework

    The Purpose

    Understand the need for a value assessment framework.

    Key Benefits Achieved

    Identify the organizational context of value through a holistic look at business objectives.

    Leverage Info-Tech’s Value Assessment Tool to validate and determine service value.

    Activities

    2.1 Understand value from business context.

    2.2 Determine the governing body.

    2.3 Assess culture and organizational structure.

    2.4 Complete the value assessment.

    2.5 Discuss value assessment score.

    Outputs

    Alignment on value context.

    Clear roles and responsibilities established.

    Ensure there is a supportive organizational structure and culture in place.

    Understand how to complete the value assessment and obtain a value score for selected services.

    Understand how to interpret the service value score.

    3 Manage Intake and Assessment of Initiatives

    The Purpose

    Create a centralized intake process to manage all new service ideas.

    Key Benefits Achieved

    Encourage collaboration and innovation through a transparent, formal, and centralized service intake process.

    Activities

    3.1 Review or design the service intake process.

    3.2 Review the Service Intake Form.

    3.3 Design a process to assess and transfer service ideas.

    3.4 Design a process to transfer completed services to the service catalog.

    Outputs

    Create a centralized process for service intake.

    Complete the Service Intake Form for a specific initiative.

    Have a process designed to transfer approved projects to the PMO.

    Have a process designed for transferring of completed services to the service catalog.

    4 Assess Active Services

    The Purpose

    Continuously validate the value of existing services.

    Key Benefits Achieved

    Ensure services are still providing the expected outcome.

    Clear next steps for services based on value.

    Activities

    4.1 Discuss/review management of active services.

    4.2 Complete value assessment for an active service.

    4.3 Determine service value and usage.

    4.4 Determine the next step for the service.

    4.5 Document the decision regarding the service outcome.

    Outputs

    Understand how active services must be assessed throughout their lifecycles.

    Understand how to assess an existing service.

    Place the service on the 2x2 matrix based on value and usage.

    Understand the appropriate next steps for services based on value.

    Formally document the steps for each of the IRMR options.

    5 Manage and Communicate Your Service Portfolio

    The Purpose

    Communicate and implement the service portfolio within the organization.

    Key Benefits Achieved

    Obtain buy-ins for the process.

    Create a mechanism to identify changes within the organization and to seek out continuous improvement opportunities for the service portfolio management process and procedures.

    Activities

    5.1 Create a communication plan for service portfolio and value assessment.

    5.2 Create a communication plan for service intake.

    5.3 Create a procedure to continuously validate the process.

    Outputs

    Document the target audience, the message, and how the message should be communicated.

    Document techniques to encourage participation and promote participation from the organization.

    Document the formal review process, including cycle, roles, and responsibilities.

    Optimize IT Change Management

    • Buy Link or Shortcode: {j2store}409|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $33,585 Average $ Saved
    • member rating average days saved: 27 Average Days Saved
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • Infrastructure managers and change managers need to re-evaluate their change management processes due to slow change turnaround time, too many unauthorized changes, too many incidents and outages because of poorly managed changes, or difficulty evaluating and prioritizing changes.
    • IT system owners often resist change management because they see it as slow and bureaucratic.
    • Infrastructure changes are often seen as different from application changes, and two (or more) processes may exist.

    Our Advice

    Critical Insight

    • ITIL provides a usable framework for change management, but full process rigor is not appropriate for every change request.
    • You need to design a process that is flexible enough to meet the demand for change, and strict enough to protect the live environment from change-related incidents.
    • A mature change management process will minimize review and approval activity. Counterintuitively, with experience in implementing changes, risk levels decline to a point where most changes are “pre-approved.”

    Impact and Result

    • Create a unified change management process that reduces risk. The process should be balanced in its approach toward deploying changes while also maintaining throughput of innovation and enhancements.
    • Categorize changes based on an industry-standard risk model with objective measures of impact and likelihood.
    • Establish and empower a change manager and change advisory board with the authority to manage, approve, and prioritize changes.
    • Integrate a configuration management database with the change management process to identify dependencies.

    Optimize IT Change Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize change management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Optimize IT Change Management – Phases 1-4

    1. Define change management

    Assess the maturity of your existing change management practice and define the scope of change management for your organization.

    • Change Management Maturity Assessment Tool
    • Change Management Risk Assessment Tool

    2. Establish roles and workflows

    Build your change management team and standardized process workflows for each change type.

    • Change Manager
    • Change Management Process Library – Visio
    • Change Management Process Library – PDF
    • Change Management Standard Operating Procedure

    3. Define the RFC and post-implementation activities

    Bookend your change management practice by standardizing change intake, implementation, and post-implementation activities.

    • Request for Change Form Template
    • Change Management Pre-Implementation Checklist
    • Change Management Post-Implementation Checklist

    4. Measure, manage, and maintain

    Form an implementation plan for the project, including a metrics evaluation, change calendar inputs, communications plan, and roadmap.

    • Change Management Metrics Tool
    • Change Management Communications Plan
    • Change Management Roadmap Tool
    • Optimize IT Change Management Improvement Initiative: Project Summary Template

    [infographic]

    Workshop: Optimize IT Change Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Change Management

    The Purpose

    Discuss the existing challenges and maturity of your change management practice.

    Build definitions of change categories and the scope of change management.

    Key Benefits Achieved

    Understand the starting point and scope of change management.

    Understand the context of change request versus other requests such as service requests, projects, and operational tasks.

    Activities

    1.1 Outline strengths and challenges

    1.2 Conduct a maturity assessment

    1.3 Build a categorization scheme

    1.4 Build a risk assessment matrix

    Outputs

    Change Management Maturity Assessment Tool

    Change Management Risk Assessment Tool

    2 Establish Roles and Workflows

    The Purpose

    Define roles and responsibilities for the change management team.

    Develop a standardized change management practice for approved changes, including process workflows.

    Key Benefits Achieved

    Built the team to support your new change management practice.

    Develop a formalized and right-sized change management practice for each change category. This will ensure all changes follow the correct process and core activities to confirm changes are completed successfully.

    Activities

    2.1 Define the change manager role

    2.2 Outline the membership and protocol for the Change Advisory Board (CAB)

    2.3 Build workflows for normal, emergency, and pre-approved changes

    Outputs

    Change Manager Job Description

    Change Management Standard Operating Procedure (SOP)

    Change Management Process Library

    3 Define the RFC and Post-Implementation Activities

    The Purpose

    Create a new change intake process, including a new request for change (RFC) form.

    Develop post-implementation review activities to be completed for every IT change.

    Key Benefits Achieved

    Bookend your change management practice by standardizing change intake, implementation, and post-implementation activities.

    Activities

    3.1 Define the RFC template

    3.2 Determine post-implementation activities

    3.3 Build your change calendar protocol

    Outputs

    Request for Change Form Template

    Change Management Post-Implementation Checklist

    Project Summary Template

    4 Measure, Manage, and Maintain

    The Purpose

    Develop a plan and project roadmap for reaching your target for your change management program maturity.

    Develop a communications plan to ensure the successful adoption of the new program.

    Key Benefits Achieved

    A plan and project roadmap for reaching target change management program maturity.

    A communications plan ready for implementation.

    Activities

    4.1 Identify metrics and reports

    4.2 Build a communications plan

    4.3 Build your implementation roadmap

    Outputs

    Change Management Metrics Tool

    Change Management Communications Plan

    Change Management Roadmap Tool

    Further reading

    Optimize IT Change Management

    Right-size IT change management practice to protect the live environment.

    EXECUTIVE BRIEF

    Analyst Perspective

    Balance risk and efficiency to optimize IT change management.

    Change management (change enablement, change control) is a balance of efficiency and risk. That is, pushing changes out in a timely manner while minimizing the risk of deployment. On the one hand, organizations can attempt to avoid all risk and drown the process in rubber stamps, red tape, and bureaucracy. On the other hand, organizations can ignore process and push out changes as quickly as possible, which will likely lead to change related incidents and debilitating outages.

    Right-sizing the process does not mean adopting every recommendation from best-practice frameworks. It means balancing the efficiency of change request fulfillment with minimizing risk to your organization. Furthermore, creating a process that encourages adherence is key to avoid change implementers from skirting your process altogether.

    Benedict Chang, Research Analyst, Infrastructure and Operations, Info-Tech Research Group

    Executive Summary

    Your Challenge

    Infrastructure and application change occurs constantly and is driven by changing business needs, requests for new functionality, operational releases and patches, and resolution of incidents or problems detected by the service desk.

    IT managers need to follow a standard change management process to ensure that rogue changes are never deployed while the organization remains responsive to demand.

    Common Obstacles

    IT system owners often resist change management because they see it as slow and bureaucratic.

    At the same time, an increasingly interlinked technical environment may cause issues to appear in unexpected places. Configuration management systems are often not kept up-to-date and do not catch the potential linkages.

    Infrastructure changes are often seen as “different” from application changes and two (or more) processes may exist.

    Info-Tech’s Approach

    Info-Tech’s approach will help you:

    • Create a unified change management practice that balances risk and throughput of innovation.
    • Categorize changes based on an industry-standard risk model with objective measures of impact and likelihood.
    • Establish and empower a Change Manager and Change Advisory Board (CAB) with the authority to manage, approve, and prioritize changes.

    Balance Risk and Efficiency to Optimize IT Change Management

    Two goals of change management are to protect the live environment and deploying changes in a timely manner. These two may seem to sometimes be at odds against each other, but assessing risk at multiple points of a change’s lifecycle can help you achieve both.

    Your challenge

    This research is designed to help organizations who need to:

    • Build a right-sized change management practice that encourages adherence and balances efficiency and risk.
    • Integrate the change management practice with project management, service desk processes, configuration management, and other areas of IT and the business.
    • Communicate the benefits and impact of change management to all the stakeholders affected by the process.

    Change management is heavily reliant on organizational culture

    Having a right-sized process is not enough. You need to build and communicate the process to gather adherence. The process is useless if stakeholders are not aware of it or do not follow it.

    Increase the Effectiveness of Change Management in Your Organization

    The image is a bar graph, with the segments labelled 1 and 2. The y-axis lists numbers 1-10. Segment 1 is at 6.2, and segment 2 is at 8.6.

    Of the eight infrastructure & operations processes measured in Info-Tech’s IT Management and Governance Diagnostic (MGD) program, change management has the second largest gap between importance and effectiveness of these processes.

    Source: Info-Tech 2020; n=5,108 IT professionals from 620 organizations

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • Gaining buy-in can be a challenge no matter how well the process is built.
    • The complexity of the IT environment and culture of tacit knowledge for configuration makes it difficult to assess cross-dependencies of changes.
    • Each silo or department may have their own change management workflows that they follow internally. This can make it difficult to create a unified process that works well for everyone.

    “Why should I fill out an RFC when it only takes five minutes to push through my change?”

    “We’ve been doing this for years. Why do we need more bureaucracy?”

    “We don’t need change management if we’re Agile.”

    “We don’t have the right tools to even start change management.”

    “Why do I have to attend a CAB meeting when I don’t care what other departments are doing?”

    Info-Tech’s approach

    Build change management by implementing assessments and stage gates around appropriate levels of the change lifecycle.

    The image is a circle, comprised of arrows, with each arrow pointing to the next, forming a cycle. Each arrow is labelled, as follows: Improve; Request; Assess; Plan; Approve; Implement

    The Info-Tech difference:

    1. Create a unified change management process that balances risk and throughput of innovation.
    2. Categorize changes based on an industry-standard risk model with objective measures of impact and likelihood.
    3. Establish and empower a Change Manager and Change Advisory Board (CAB) with the authority to manage, approve, and prioritize changes.

    IT change is constant and is driven by:

    Change Management:

    1. Operations - Operational releases, maintenance, vendor-driven updates, and security updates can all be key drivers of change. Example: ITSM version update
      • Major Release
      • Maintenance Release
      • Security Patch
    2. Business - Business-driven changes may include requests from other business departments that require IT’s support. Examples: New ERP or HRIS implementation
      • New Application
      • New Version
    3. Service desk → Incident & Problem - Some incident and problem tickets require a change to facilitate resolution of the incident. Examples: Outage necessitating update of an app (emergency change), a user request for new functionality to be added to an existing app
      • Workaround
      • Fix
    4. Configuration Management Database (CMDB) ↔ Asset Management - In addition to software and hardware asset dependencies, a configuration management database (CMDB) is used to keep a record of changes and is queried to assess change requests.
      • Hardware
      • Software

    Insight summary

    “The scope of change management is defined by each organization…the purpose of change management is to maximize the number of successful service and product changes by ensuring that the risk have been properly assessed, authorizing changes to process, and managing the change schedule.” – ALEXOS Limited, ITIL 4

    Build a unified change management process balancing risk and change throughput.

    Building a unified process that oversees all changes to the technical environment doesn’t have to be burdensome to be effective. However, the process is a necessary starting point to identifying cross dependencies and avoiding change collisions and change-related incidents.

    Use an objective framework for estimating risk

    Simply asking, “What is the risk?” will result in subjective responses that will likely minimize the perceived risk. The level of due diligence should align to the criticality of the systems or departments potentially impacted by the proposed changes.

    Integrate your change process with your IT service management system

    Change management in isolation will provide some stability, but maturing the process through service integrations will enable data-driven decisions, decrease bureaucracy, and enable faster and more stable throughput.

    Change management and DevOps can work together effectively

    Change and DevOps tend to be at odds, but the framework does not have to change. Lower risk changes in DevOps are prime candidates for the pre-approved category. Much of the responsibility traditionally assigned to the CAB can be diffused throughout the software development lifecycle.

    Change management and DevOps can coexist

    Shift the responsibility and rigor to earlier in the process.

    • If you are implementing change management in a DevOps environment, ensure you have a strong DevOps lifecycle. You may wish to refer to Info-Tech’s research Implementing DevOps Practices That Work.
    • Consider starting in this blueprint by visiting Appendix II to frame your approach to change management. Follow the blueprint while paying attention to the DevOps Callouts.

    DEVOPS CALLOUTS

    Look for these DevOps callouts throughout this storyboard to guide you along the implementation.

    The image is a horizontal figure eight, with 7 arrows, each pointing into the next. They are labelled are follows: Plan; Create; Verify; Package; Release; Configure; Monitor. At the centre of the circles are the words Dev and Ops.

    Successful change management will provide benefits to both the business and IT

    Respond to business requests faster while reducing the number of change-related disruptions.

    IT Benefits

    • Fewer change-related incidents and outages
    • Faster change turnaround time
    • Higher rate of change success
    • Less change rework
    • Fewer service desk calls related to poorly communicated changes

    Business Benefits

    • Fewer service disruptions
    • Faster response to requests for new and enhanced functionalities
    • Higher rate of benefits realization when changes are implemented
    • Lower cost per change
    • Fewer “surprise” changes disrupting productivity

    IT satisfaction with change management will drive business satisfaction with IT. Once the process is working efficiently, staff will be more motivated to adhere to the process, reducing the number of unauthorized changes. As fewer changes bypass proper evaluation and testing, service disruptions will decrease and business satisfaction will increase.

    Change management improves core benefits to the business: the four Cs

    Most organizations have at least some form of change control in place, but formalizing change management leads to the four Cs of business benefits:

    Control

    Change management brings daily control over the IT environment, allowing you to review every relatively new change, eliminate changes that would have likely failed, and review all changes to improve the IT environment.

    Collaboration

    Change management planning brings increased communication and collaboration across groups by coordinating changes with business activities. The CAB brings a more formalized and centralized communication method for IT.

    Consistency

    Request for change templates and a structured process result in implementation, test, and backout plans being more consistent. Implementing processes for pre-approved changes also ensures these frequent changes are executed consistently and efficiently.

    Confidence

    Change management processes will give your organization more confidence through more accurate planning, improved execution of changes, less failure, and more control over the IT environment. This also leads to greater protection against audits.

    You likely need to improve change management more than any other infrastructure & operations process

    The image shows a vertical bar graph. Each segment of the graph is labelled for an infrastructure/operations process. Each segment has two bars one for effectiveness, and another for importance. The first segment, Change Management, is highlighted, with its Effectiveness at a 6.2 and Importance at 8.6

    Source: Info-Tech 2020; n=5,108 IT Professionals from 620 organizations

    Of the eight infrastructure and operations processes measured in Info-Tech’s IT Management and Governance Diagnostic (MGD) program, change management consistently has the second largest gap between importance and effectiveness of these processes.

    Executives and directors recognize the importance of change management but feel theirs is currently ineffective

    Info-Tech’s IT Management and Governance Diagnostic (MGD) program assesses the importance and effectiveness of core IT processes. Since its inception, the MGD has consistently identified change management as an area for immediate improvement.

    The image is a vertical bar graph, with four segments, each having 2 bars, one for Effectiveness and the other for Importance. The four segments are (with Effectiveness and Importance ratings in brackets, respectively): Frontline (6.5/8.6); Manager (6.6/8.9); Director (6.4/8.8); and Executive (6.1/8.8)

    Source: Info-Tech 2020; n=5,108 IT Professionals from 620 organizations

    Importance Scores

    No importance: 1.0-6.9

    Limited importance: 7.0-7.9

    Significant importance: 8.0-8.9

    Critical importance: 9.0-10.0

    Effectiveness Scores

    Not in place: n/a

    Not effective: 0.0-4.9

    Somewhat Ineffective: 5.0-5.9

    Somewhat effective: 6.0-6.9

    Very effective: 7.0-10.0

    There are several common misconceptions about change management

    Which of these have you heard in your organization?

     Reality
    “It’s just a small change; this will only take five minutes to do.” Even a small change can cause a business outage. That small fix could impact a large system connected to the one being fixed.
    “Ad hoc is faster; too many processes slow things down.” Ad hoc might be faster in some cases, but it carries far greater risk. Following defined processes keeps systems stable and risk-averse.
    “Change management is all about speed.” Change management is about managing risk. It gives the illusion of speed by reducing downtime and unplanned work.
    “Change management will limit our capacity to change.” Change management allows for a better alignment of process (release management) with governance (change management).

    Overcome perceived challenges to implementing change management to reap measurable reward

    Before: Informal Change Management

    Change Approval:

    • Changes do not pass through a formal review process before implementation.
    • 10% of released changes are approved.
    • Implementation challenge: Staff will resist having to submit formal change requests and assessments, frustrated at the prospect of having to wait longer to have changes approved.

    Change Prioritization

    • Changes are not prioritized according to urgency, risk, and impact.
    • 60% of changes are urgent.
    • Implementation challenge: Influential stakeholders accustomed to having changes approved and deployed might resist having to submit changes to a standard cost-benefit analysis.

    Change Deployment

    • Changes often negatively impact user productivity.
    • 25% of changes are realized as planned.
    • Implementation challenge: Engaging the business so that formal change freeze periods and regular maintenance windows can be established.

    After: Right-Sized Change Management

    Change Approval

    • All changes pass through a formal review process. Once a change is repeatable and well-tested, it can be pre-approved to save time. Almost no unauthorized changes are deployed.
    • 95% of changes are approved.
    • KPI: Decrease in change-related incidents

    Change Prioritization

    • The CAB prioritizes changes so that the business is satisfied with the speed of change deployment.
    • 35% of changes are urgent.
    • KPI: Decrease in change turnaround time.

    Change deployment

    • Users are always aware of impending changes and changes don’t interrupt critical business activities.
    • Over 80% of changes are realized as planned
    • KPI: Decrease in the number of failed deployments.

    Info-Tech’s methodology for change management optimization focuses on building standardized processes

     1. Define Change Management2. Establish Roles and Workflows3. Define the RFC and Post-Implementation Activities4. Measure, Manage, and Maintain
    Phase Steps

    1.1 Assess Maturity

    1.2 Categorize Changes and Build Your Risk Assessment

    2.1 Determine Roles and Responsibilities

    2.2 Build Core Workflows

    3.1 Design the RFC

    3.2 Establish Post-Implementation Activities

    4.1 Identify Metrics and Build the Change Calendar

    4.2 Implement the Project

      Change Management Standard Operating Procedure (SOP) Change Management Project Summary Template
    Phase Deliverables
    • Change Management Maturity Assessment Tool
    • Change Management Risk Assessment Tool
    • Change Manager Job Description
    • Change Management Process Library
    • Request for Change (RFC) Form Template
    • Change Management Pre-Implementation Checklist
    • Change Management Post-Implementation Checklist
    • Change Management Metrics Tool
    • Change Management
    • Communications Plan
    • Change Management Roadmap Tool

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Change Management Process Library

    Document your normal, pre-approved, and emergency change lifecycles with the core process workflows .

    Change Management Risk Assessment Tool

    Test Drive your impact and likelihood assessment questionnaires with the Change Management Risk Assessment Tool.

    Project Summary Template

    Summarize your efforts in the Optimize IT Change Management Improvement Initiative: Project Summary Template.

    Change Management Roadmap Tool

    Record your action items and roadmap your steps to a mature change management process.

    Key Deliverable:

    Change Management SOP

    Document and formalize your process starting with the change management standard operating procedure (SOP).

    These case studies illustrate the value of various phases of this project

    Define Change Management

    Establish Roles and Workflows

    Define RFC and Post-Implementation Activities

    Measure, Manage, and Maintain

    A major technology company implemented change management to improve productivity by 40%. This case study illustrates the full scope of the project.

    A large technology firm experienced a critical outage due to poor change management practices. This case study illustrates the scope of change management definition and strategy.

    Ignorance of change management process led to a technology giant experiencing a critical cloud outage. This case study illustrates the scope of the process phase.

    A manufacturing company created a makeshift CMDB in the absence of a CMDB to implement change management. This case study illustrates the scope of change intake.

    A financial institution tracked and recorded metrics to aid in the success of their change management program. This case study illustrates the scope of the implementation phase.

    Working through this project with Info-Tech can save you time and money

    Engaging in a Guided Implementation doesn’t just offer valuable project advice, it also results in significant cost savings.

    Guided ImplementationMeasured Vale
    Phase 1: Define Change Management
    • We estimate Phase 1 activities will take 2 FTEs 10 days to complete on their own, but the time saved by using Info-Tech’s methodology will cut that time in half, thereby saving $3,100 (2 FTEs * 5 days * $80,000/year).

    Phase 2: Establish Roles and Workflows

    • We estimate Phase 2 will take 2 FTEs 10 days to complete on their own, but the time saved by using Info-Tech’s methodology will cut that time in half, thereby saving $3,100 (2 FTEs * 5 days * $80,000/year).
    Phase 3: Define the RFC and Post-Implementation Activities
    • We estimate Phase 3 will take 2 FTEs 10 days to complete on their own, but the time saved by using Info-Tech’s methodology will cut that time in half, thereby saving $3,100 (2 FTEs * 5 days * $80,000/year).

    Phase 4: Measure, Manage, and Maintain

    • We estimate Phase 4 will take 2 FTEs 5 days to complete on their own, but the time saved by using Info-Tech’s methodology will cut that time in half, thereby saving $1,500 (2 FTEs * 2.5 days * $80,000/year).
    Total Savings $10,800

    Case Study

    Industry: Technology

    Source: Daniel Grove, Intel

    Intel implemented a robust change management program and experienced a 40% improvement in change efficiency.

    Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.

    ITIL Change Management Implementation

    With close to 4,000 changes occurring each week, managing Intel’s environment is a formidable task. Before implementing change management within the organization, over 35% of all unscheduled downtime was due to errors resulting from change and release management. Processes were ad hoc or scattered across the organization and no standards were in place.

    Results

    After a robust implementation of change management, Intel experienced a number of improvements including automated approvals, the implementation of a formal change calendar, and an automated RFC form. As a result, Intel improved change productivity by 40% within the first year of the program’s implementation.

    Define Change Management

    Establish Roles and Workflows

    Define RFC and Post-Implementation Activities

    Measure, Manage, and Maintain

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Define Change Management

    • Call #1: Introduce change concepts.
    • Call #2: Assess current maturity.
    • Call #3: Identify target-state capabilities.

    Establish Roles and Workflows

    • Call #4: Review roles and responsibilities.
    • Call #5: Review core change processes.

    Define RFC and Post- Implementation Activities

    • Call #6: Define change intake process.
    • Call #7: Create pre-implementation and post-implementation checklists.

    Measure, Manage, and Maintain

    • Call #8: Review metrics.
    • Call #9: Create roadmap.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

     Day 1Day 2Day 3Day 4Day 5
    Activities

    Define Change Management

    1.1 Outline Strengths and Challenges

    1.2 Conduct a Maturity Assessment

    1.3 Build a Change Categorization Scheme

    1.4 Build Your Risk Assessment

    Establish Roles and Workflows

    2.1 Define the Change Manager Role

    2.2 Outline CAB Protocol and membership

    2.3 Build Normal Change Process

    2.4 Build Emergency Change Process

    2.5 Build Pre-Approved Change Process

    Define the RFC and Post-Implementation Activities

    3.1 Create an RFC Template

    3.2 Determine Post-Implementation Activities

    3.3 Build a Change Calendar Protocol

    Measure, Manage, and Maintain

    4.1 Identify Metrics and Reports

    4.2 Create Communications Plan

    4.3 Build an Implementation Roadmap

    Next Steps and Wrap-Up (offsite)

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables
    1. Maturity Assessment
    2. Risk Assessment
    1. Change Manager Job Description
    2. Change Management Process Library
    1. Request for Change (RFC) Form Template
    2. Pre-Implementation Checklist
    3. Post-Implementation Checklist
    1. Metrics Tool
    2. Communications Plan
    3. Project Roadmap
    1. Change Management Standard Operating Procedure (SOP)
    2. Workshop Summary Deck

    Phase 1

    Define Change Management

    Define Change Management

    1.1 Assess Maturity

    1.2 Categorize Changes and Build Your Risk Assessment

    Establish Roles and Workflows

    2.1 Determine Roles and Responsibilities

    2.2 Build Core Workflows

    Define the RFC and Post-Implementation Activities

    3.1 Design the RFC

    3.2 Establish Post-Implementation Activities

    Measure, Manage, and Maintain

    4.1 Identify Metrics and Build the Change Calendar

    4.2 Implement the Project

    This phase will guide you through the following steps:

    • Assess Maturity
    • Categorize Changes and Build Your Risk Assessment

    This phase involves the following participants:

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    Step 1.1

    Assess Maturity

    Activities

    1.1.1 Outline the Organization’s Strengths and Challenges

    1.1.2 Complete a Maturity Assessment

    This step involves the following participants:

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    Outcomes of this step

    • An understanding of maturity change management processes and frameworks
    • Identification of existing change management challenges and potential causes
    • A framework for assessing change management maturity and an assessment of your existing change management processes

    Define Change Management

    Step 1.1: Assess Maturity → Step 1.2: Categorize Changes and Build Your Risk Assessment

    Change management is often confused with release management, but they are distinct processes

    Change

    • Change management looks at software changes as well as hardware, database, integration, and network changes, with the focus on stability of the entire IT ecosystem for business continuity.
    • Change management provides a holistic view of the IT environment, including dependencies, to ensure nothing is negatively affected by changes.
    • Change documentation is more focused on process, ensuring dependencies are mapped, rollout plans exist, and the business is not at risk.

    Release

    • Release and deployment are the detailed plans that bundle patches, upgrades, and new features into deployment packages, with the intent to change them flawlessly into a production environment.
    • Release management is one of many actions performed under change management’s governance.
    • Release documentation includes technical specifications such as change schedule, package details, change checklist, configuration details, test plan, and rollout and rollback plans.

    Info-Tech Insight

    Ensure the Release Manager is present as part of your CAB. They can explain any change content or dependencies, communicate business approval, and advise the service desk of any defects.

    Integrate change management with other IT processes

    As seen in the context diagram, change management interacts closely with many other IT processes including release management and configuration management (seen below). Ensure you delineate when these interactions occur (e.g. RFC updates and CMDB queries) and which process owns each task.

    The image is a chart mapping the interactions between Change Management and Configuration Management (CMDB).

    Avoid the challenges of poor change management

    1. Deployments
      • Too frequent: The need for frequent deployments results in reduced availability of critical business applications.
      • Failed deployments or rework is required: Deployments are not successful and have to be backed out of and then reworked to resolve issues with the installation.
      • High manual effort: A lack of automation results in high resource costs for deployments. Human error is likely, which adds to the risk of a failed deployment.
    2. Incidents
      • Too many unauthorized changes: If the process is perceived as cumbersome and ineffective, people will bypass it or abuse the emergency designation to get their changes deployed faster.
      • Changes cause incidents: When new releases are deployed, they create problems with related systems or applications.
    3. End Users
      • Low user satisfaction: Poor communication and training result in surprised and unhappy users and support staff.

    “With no controls in place, IT gets the blame for embarrassing outages. Too much control, and IT is seen as a roadblock to innovation.” – Anonymous, VP IT of a federal credit union

    1.1.1 Outline the Organization’s Strengths and Challenges

    Input

    • Current change documentation (workflows, SOP, change policy, etc.)
    • Organizational chart(s)

    Output

    • List of strengths and challenges for change management

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. As group, discuss and outline the change management challenges facing the organization. These may be challenges caused by poor change management processes or by a lack of process.
    2. Use the pain points found on the previous slide to help guide the discussion.
    3. As a group, also outline the strengths of change management and the strengths of the current organization. Use these strengths as a guide to know what practices to continue and what strengths you can leverage to improve the change management process.
    4. Record the activity results in the Project Summary Template.

    Download the Optimize IT Change Management Improvement Initiative: Project Summary Template

    Assess current change management maturity to create a plan for improvement

     ChaosReactiveControlled

    Proactive

    Optimized
    Change Requests No defined processes for submitting changes Low process adherence and no RFC form RFC form is centralized and a point of contact for changes exists RFCs are reviewed for scope and completion RFCs trend analysis and proactive change exists
    Change Review Little to no change risk assessment Risk assessment exists for each RFC RFC form is centralized and a point of contact for changes exists Change calendar exists and is maintained System and component dependencies exist (CMDB)
    Change Approval No formal approval process exists Approval process exists but is not widely followed Unauthorized changes are minimal or nonexistent Change advisory board (CAB) is established and formalized Trend analysis exists increasing pre-approved changes
    Post-Deployment No post-deployment change review exists Process exists but is not widely followed Reduction of change-related incidents Stakeholder satisfaction is gathered and reviewed Lessons learned are propagated and actioned
    Process Governance Roles & responsibilities are ad hoc Roles, policies & procedures are defined & documented Roles, policies & procedures are defined & documented KPIs are tracked, reported on, and reviewed KPIs are proactively managed for improvement

    Info-Tech Insight

    Reaching an optimized level is not feasible for every organization. You may be able to run a very good change management process at the Proactive or even Controlled stage. Pay special attention to keeping your goals attainable.

    1.1.2 Complete a Maturity Assessment

    Input

    • Current change documentation (workflows, SOP, change policy, etc.)

    Output

    • Assessment of current maturity level and goals to improve change management

    Materials

    Participants

    • Change Manager
    • Service Desk Manager
    • Operations (optional)
    1. Use Info-Tech’s Change Management Maturity Assessment Tool to assess the maturity and completeness of your change process.
    2. Significant gaps revealed in this assessment should be the focal points of your discussion when investigating root causes and brainstorming remediation activities:
      1. For each activity of each process area of change management, determine the degree of completeness of your current process.
      2. Review your maturity assessment results and discuss as a group potential reasons why you arrived at your maturity level. Identify areas where you should focus your initial attention for improvement.
      3. Regularly review the maturity of your change management practices by completing this maturity assessment tool periodically to identify other areas to optimize.

    Download the Change Management Maturity Assessment Tool

    Case Study

    Even Google isn’t immune to change-related outages. Plan ahead and communicate to help avoid change-related incidents

    Industry: Technology

    Source: The Register

    As part of a routine maintenance procedure, Google engineers moved App Engine applications between data centers in the Central US to balance out traffic.

    Unfortunately, at the same time that applications were being rerouted, a software update was in progress on the traffic routers, which triggered a restart. This temporarily diminished router capacity, knocking out a sizeable portion of Google Cloud.

    The server drain resulted in a huge spike in startup requests, and the routers simply couldn’t handle the traffic.

    As a result, 21% of Google App Engine applications hosted in the Central US experienced error rates in excess of 10%, while an additional 16% of applications experienced latency, albeit at a lower rate.

    Solution

    Thankfully, engineers were actively monitoring the implementation of the change and were able to spring into action to halt the problem.

    The change was rolled back after 11 minutes, but the configuration error still needed to be fixed. After about two hours, the change failure was resolved and the Google Cloud was fully functional.

    One takeaway for the engineering team was to closely monitor how changes are scheduled. Ultimately, this was the result of miscommunication and a lack of transparency between change teams.

    Step 1.2

    Categorize Changes and Build Your Risk Assessment

    Activities

    1.2.1 Define What Constitutes a Change

    1.2.2 Build a Change Categorization Scheme

    1.2.3 Build a Classification Scheme to Assess Impact

    1.2.4 Build a Classification Scheme to Define Likelihood

    1.2.5 Evaluate and Adjust Your Risk Assessment Scheme

    Define Change Management

    Step 1.1: Assess Maturity → Step 1.2: Categorize Changes and Build Your Risk Assessment

    This step involves the following participants:

    • Infrastructure/Applications Manager
    • Change Manager
    • Members of the Change Advisory Board

    Outcomes of this step

    • A clear definition of what constitutes a change in your organization
    • A defined categorization scheme to classify types of changes
    • A risk assessment matrix and tool for evaluating and prioritizing change requests according to impact and likelihood of risk

    Change must be managed to mitigate risk to the infrastructure

    Change management is the gatekeeper protecting your live environment.

    Successfully managed changes will optimize risk exposure, severity of impact, and disruption. This will result in the bottom-line business benefits of removal of risk, early realization of benefits, and savings of money and time.

    • IT change is constant; change requests will be made both proactively and reactively to upgrade systems, acquire new functionality, and to prevent or resolve incidents.
    • Every change to the infrastructure must pass through the change management process before being deployed to ensure that it has been properly assessed and tested, and to check that a backout /rollback plan is in place.
    • It will be less expensive to invest in a rigorous change management process than to resolve incidents, service disruptions, and outages caused by the deployment of a bad change.
    • Change management is what gives you control and visibility regarding what is introduced to the live environment, preventing incidents that threaten business continuity.

    80%

    In organizations without formal change management processes, about 80% (The Visible Ops Handbook) of IT service outage problems are caused by updates and changes to systems, applications, and infrastructure. It’s crucial to track and systematically manage change to fully understand and predict the risks and potential impact of the change.

    Attributes of a change

    Differentiate changes from other IT requests

    Is this in the production environment of a business process?

    The core business of the enterprise or supporting functions may be affected.

    Does the task affect an enterprise managed system?

    If it’s for a local application, it’s a service request

    How many users are impacted?

    It should usually impact more than a single user (in most cases).

    Is there a configuration, or code, or workflow, or UI/UX change?

    Any impact on a business process is a change; adding a user or a recipient to a report or mailing list is not a change.

    Does the underlying service currently exist?

    If it’s a new service, then it’s better described as a project.

    Is this done/requested by IT?

    It needs to be within the scope of IT for the change management process to apply.

    Will this take longer than one week?

    As a general rule, if it takes longer than 40 hours of work to complete, it’s likely a project.

    Defining what constitutes a change

    Every change request will initiate the change management process; don’t waste time reviewing requests that are out of scope.

    ChangeService Request (User)Operational Task (Backend)
    • Fixing defects in code
    • Changing configuration of an enterprise system
    • Adding new software or hardware components
    • Switching an application to another VM
    • Standardized request
    • New PC
    • Permissions request
    • Change password
    • Add user
    • Purchases
    • Change the backup tape
    • Delete temporary files
    • Maintain database (one that is well defined, repeatable, and predictable)
    • Run utilities to repair a database

    Do not treat every IT request as a change!

    • Many organizations make the mistake of calling a standard service request or operational task a “change.”
    • Every change request will initiate the change management process; don’t waste time reviewing requests that are out of scope.
    • While the overuse of RFCs for out-of-scope requests is better than a lack of process, this will slow the process and delay the approval of more critical changes.
    • Requiring an RFC for something that should be considered day-to-day work will also discourage people from adhering to the process, because the RFC will be seen as meaningless paperwork.

     

    1.2.1 Define What Constitutes a Change

    Input

    • List of examples of each category of the chart

    Output

    • Definitions for each category to be used at change intake

    Materials

    • Whiteboard/flip charts (or shared screen if working remotely)
    • Service catalog (if applicable)
    • Sticky notes
    • Markers/pens
    • Change Management SOP

    Participants

    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board
    1. As a group, brainstorm examples of changes, projects, service requests (user), operational tasks (backend), and releases. You may add additional categories as needed (e.g. incidents).
    2. Have each participant write the examples on sticky notes and populate the following chart on the whiteboard/flip chart.
    3. Use the examples to draw lines and define what defines each category.
      • What makes a change distinct from a project?
      • What makes a change distinct from a service request?
      • What makes a change distinct from an operational task?
      • When do the category workflows cross over with other categories? (For example, when does a project interact with change management?)
    4. Record the definitions of requests and results in section 2.3 of the Change Management Standard Operating Procedure (SOP).
    ChangeProjectService Request (User)Operational Task (Backend)Release
    Changing Configuration ERP upgrade Add new user Delete temp files Software release

    Download the Change Management Standard Operating Procedure (SOP).

    Each RFC should define resources needed to effect the change

    In addition to assigning a category to each RFC based on risk assessment, each RFC should also be assigned a priority based on the impact of the change on the IT organization, in terms of the resources needed to effect the change.

    Categories include

    Normal

    Emergency

    Pre-Approved

    The majority of changes will be pre-approved or normal changes. Definitions of each category are provided on the next slide.

    Info-Tech uses the term pre-approved rather than the ITIL terminology of standard to more accurately define the type of change represented by this category.

    A potential fourth change category of expedited may be employed if you are having issues with process adherence or if you experience changes driven from outside change management’s control (e.g. from the CIO, director, judiciary, etc.) See Appendix I for more details.

    Info-Tech Best Practice

    Do not rush to designate changes as pre-approved. You may have a good idea of which changes may be considered pre-approved, but make sure they are in fact low-risk and well-documented before moving them over from the normal category.

    The category of the change determines the process it follows

     Pre-ApprovedNormalEmergency
    Definition
    • Tasks are well-known, documented, and proven
    • Budgetary approval is preordained or within control of change requester
    • Risk is low and understood
    • There’s a low probability of failure
    • All changes that are not pre-approved or emergency will be classified as normal
    • Further categorized by priority/risk
    • The change is being requested to resolve a current or imminent critical/severity-1 incident that threatens business continuity
    • Associated with a critical incident or problem ticket
    Trigger
    • The same change is built and changed repeatedly using the same install procedures and resulting in the same low-risk outcome
    • Upgrade or new functionality that will capture a business benefit
    • A fix to a current problem
    • A current or imminent critical incident that will impact business continuity
    • Urgency to implement the change must be established, as well as lack of any alternative or workaround
    Workflow
    • Pre-established
    • Repeatable with same sequence of actions, with minimal judgment or decision points
    • Dependent on the change
    • Different workflows depending on prioritization
    • Dependent on the change
    Approval
    • Change Manager (does not need to be reviewed by CAB)
    • CAB
    • Approval from the Emergency Change Advisory Board (E-CAB) is sufficient to proceed with the change
    • A retroactive RFC must be created and approved by the CAB

    Pay close attention to defining your pre-approved changes. They are going to be critical for running a smooth change management practice in a DevOps Environment

    1.2.2 Build a Change Categorization Scheme

    Input

    • List of examples of each change category

    Output

    • Definitions for each change category

    Materials

    • Whiteboard/flip charts (or shared screen if working remotely)
    • Service catalog (if applicable)
    • Sticky notes
    • Markers
    • Change Management SOP

    Participants

    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board
    1. Discuss the change categories on the previous slide and modify the types of descriptions to suit your organization.
    2. Once the change categories or types are defined, identify several examples of change requests that would fall under each category.
    3. Types of normal changes will be further defined in the next activity and can be left blank for now.
    4. Examples are provided below. Capture your definitions in section 4 of your Change Management SOP.
    Pre-Approved (AKA Standard)NormalEmergency
    • Microsoft patch management/deployment
    • Windows update
    • Minor form changes
    • Service pack updates on non-critical systems
    • Advance label status on orders
    • Change log retention period/storage
    • Change backup frequency

    Major

    • Active directory server upgrade
    • New ERP

    Medium

    • Network upgrade
    • High availability implementation

    Minor

    • Ticket system go-live
    • UPS replacement
    • Cognos update
    • Any change other than a pre-approved change
    • Needed to resolve a major outage in a Tier 1 system

    Assess the risk for each normal change based on impact (severity) and likelihood (probability)

    Create a change assessment risk matrix to standardize risk assessment for new changes. Formalizing this assessment should be one of the first priorities of change management.

    The following slides guide you through the steps of formalizing a risk assessment according to impact and likelihood:

    1. Define a risk matrix: Risk matrices can either be a 3x3 matrix (Minor, Medium, or High Risk as shown on the next slide) or a 4x4 matrix (Minor, Medium, High, or Critical Risk).
    2. Build an impact assessment: Enable consistent measurement of impact for each change by incorporating a standardized questionnaire for each RFC.
    3. Build a likelihood assessment: Enable the consistent measurement of impact for each change by incorporating a standardized questionnaire for each RFC.
    4. Test drive your risk assessment and make necessary adjustments: Measure your newly formed risk assessment questionnaires against historical changes to test its accuracy.

    Consider risk

    1. Risk should be the primary consideration in classifying a normal change as Low, Medium, High. The extent of governance required, as well as minimum timeline to implement the change, will follow from the risk assessment.
    2. The business benefit often matches the impact level of the risk – a change that will provide a significant benefit to a large number of users may likely carry an equally major downside if deviations occur.

    Info-Tech Insight

    All changes entail an additional level of risk. Risk is a function of impact and likelihood. Risk may be reduced, accepted, or neutralized through following best practices around training, testing, backout planning, redundancy, timing and sequencing of changes, etc.

    Create a risk matrix to assign a risk rating to each RFC

    Every normal RFC should be assigned a risk rating.

    How is risk rating determined?

    • Priority should be based on the business consequences of implementing or denying the change.
    • Risk rating is assigned using the impact of the risk and likelihood/probability that the event may occur.

    Who determines priority?

    • Priority should be decided with the change requester and with the CAB, if necessary.
    • Don’t let the change requester decide priority alone, as they will usually assign it a higher priority than is justified. Use a repeatable, standardized framework to assess each request.

    How is risk rating used?

    • Risk rating is used to determine which changes should be discussed and assessed first.
    • Time frames and escalation processes should be defined for each risk level.

    RFCs need to clearly identify the risk level of the proposed change. This can be done through statement of impact and likelihood (low/medium/high) or through pertinent questions linked with business rules to assess the risk.

    Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.

    Risk Matrix

    Risk Matrix. Impact vs. Likelihood. Low impact, Low Likelihood and Medium Impact, Medium Likelihood are minor risks. High Likelihood, Low Impact; Medium Likelihood, Medium Impact; and Low Likelihood, High Impact are Medium Risk. High Impact, High Likelihood; High Impact, Medium Likelihood; and Medium Impact, High Likelihood are Major risk.

    1.2.3 Build a Classification Scheme to Assess Impact

    Input

    • Current risk assessment (if available)

    Output

    • Tailored impact assessment

    Materials

    Participants

    • CIO
    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board
    1. Define a set of questions to measure risk impact.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk as high, medium, or low.
    4. Capture your results in section 4.3.1 of your Change Management SOP.
    Impact
    Weight Question High Medium Low
    15% # of people affected 36+ 11-35 <10
    20% # of sites affected 4+ 2-3 1
    15% Duration of recovery (minutes of business time) 180+ 30-18 <3
    20% Systems affected Mission critical Important Informational
    30% External customer impact Loss of customer Service interruption None

    1.2.4 Build a Classification Scheme to Define Likelihood

    Input

    • Current risk assessment (if available)

    Output

    • Tailored likelihood assessment

    Materials

    Participants

    • CIO
    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board
    1. Define a set of questions to measure risk likelihood.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk as high, medium, or low.
    4. Capture your results in section 4.3.2 of your Change Management SOP.
    LIKELIHOOD
    Weight Question High Medium Low
    25% Has this change been tested? No   Yes
    10% Have all the relevant groups (companies, departments, executives) vetted the change? No Partial Yes
    5% Has this change been documented? No   Yes
    15% How long is the change window? When can we implement? Specified day/time Partial Per IT choice
    20% Do we have trained and experienced staff available to implement this change? If only external consultants are available, the rating will be “medium” at best. No   Yes
    25% Has an implementation plan been developed? No   Yes

    1.2.5 Evaluate and Adjust Your Risk Assessment Scheme

    Input

    • Impact and likelihood assessments from previous two activities

    Output

    • Vetted risk assessment

    Materials

    Participants

    • CIO
    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board
    1. Draw your risk matrix on a whiteboard or flip chart.
    2. As a group, identify up to 10 examples of requests for changes that would apply within your organization. Depending on the number of people participating, each person could identify one or two changes and write them on sticky notes.
    3. Take turns bringing your sticky notes up to the risk matrix and placing each where it belongs, according to the assessment criteria you defined.
    4. After each participant has taken a turn, discuss each change as a group and adjust the placement of any changes, if needed. Update the risk assessment weightings or questions, if needed.

    Download the Change Management Rick Assessment Tool.

    #

    Change Example

    Impact

    Likelihood

    Risk

    1

    ERP change

    High

    Medium

    Major

    2

    Ticket system go-live

    Medium

    Low

    Minor

    3

    UPS replacement

    Medium

    Low

    Minor

    4

    Network upgrade

    Medium

    Medium

    Medium

    5

    AD upgrade

    Medium

    Low

    Minor

    6

    High availability implementation

    Low

    Medium

    Minor

    7

    Key-card implementation

    Low

    High

    Medium

    8

    Anti-virus update

    Low

    Low

    Minor

    9

    Website

    Low

    Medium

    Minor

     

    Case Study

    A CMDB is not a prerequisite of change management. Don’t let the absence of a configuration management database (CMDB) prevent you from implementing change management.

    Industry: Manufacturing

    Source: Anonymous Info-Tech member

    Challenge

    The company was planning to implement a CMDB; however, full implementation was still one year away and subject to budget constraints.

    Without a CMDB, it would be difficult to understand the interdependencies between systems and therefore be able to provide notifications to potentially affected user groups prior to implementing technical changes.

    This could have derailed the change management project.

    Solution

    An Excel template was set up as a stopgap measure until the full implementation of the CMDB. The template included all identified dependencies between systems, along with a “dependency tier” for each IT service.

    Tier 1: The dependent system would not operate if the upstream system change resulted in an outage.

    Tier 2: The dependent system would suffer severe degradation of performance and/or features.

    Tier 3: The dependent system would see minor performance degradation or minor feature unavailability.

    Results

    As a stopgap measure, the solution worked well. When changes ran the risk of degrading downstream dependent systems, the impacted business system owner’s authorization was sought and end users were informed in advance.

    The primary takeaway was that a system to manage configuration linkages and system dependencies was key.

    While a CMDB is ideal for this use case, IT organizations shouldn’t let the lack of such a system stop progress on change management.

    Case Study (part 1 of 4)

    Intel used a maturity assessment to kick-start its new change management program.

    Industry: Technology

    Source: Daniel Grove, Intel

    Challenge

    Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.

    Intel IT supports over 65,000 servers, 3.2 petabytes of data, over 70,000 PCs, and 2.6 million emails per day.

    Intel’s change management program is responsible for over 4,000 changes each week.

    Solution

    Due to the sheer volume of change management activities present at Intel, over 35% of unscheduled outages were the result of changes.

    Ineffective change management was identified as the top contributor of incidents with unscheduled downtime.

    One of the major issues highlighted was a lack of process ownership. The change management process at Intel was very fragmented, and that needed to change.

    Results

    Daniel Grove, Senior Release & Change Manager at Intel, identified that clarifying tasks for the Change Manager and the CAB would improve process efficiency by reducing decision lag time. Roles and responsibilities were reworked and clarified.

    Intel conducted a maturity assessment of the overall change management process to identify key areas for improvement.

    Phase 2

    Establish Roles and Workflows

    For running change management in DevOps environment, see Appendix II.

    Define Change Management

    1.1 Assess Maturity

    1.2 Categorize Changes and Build Your Risk Assessment

    Establish Roles and Workflows

    2.1 Determine Roles and Responsibilities

    2.2 Build Core Workflows

    Define RFC and Post-Implementation Activities

    3.1 Design the RFC

    3.2 Establish Post-Implementation Activities

    Measure, Manage, and Maintain

    4.1 Identify Metrics and Build the Change Calendar

    4.2 Implement the Project

    This phase will guide you through the following steps:

    • Determine Roles and Responsibilities
    • Build Core Workflows

    This phase involves the following participants:

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    Step 2.1

    Determine Roles and Responsibilities

    Activities

    2.1.1 Capture Roles and Responsibilities Using a RACI Chart

    2.1.2 Determine Your Change Manager’s Responsibilities

    2.1.3 Define the Authority and Responsibilities of Your CAB

    2.1.4 Determine an E-CAB Protocol for Your Organization

    Establish Roles and Workflows

    Step 2.1: Determine Roles and Responsibilities → Step 2.2: Build Core Workflows

    This step involves the following participants:

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    Outcomes of this step

    • Clearly defined responsibilities to form the job description for a Change Manager
    • Clearly defined roles and responsibilities for the change management team, including the business system owner, technical SME, and CAB members
    • Defined responsibilities and authority of the CAB
    • Protocol for an emergency CAB (E-CAB) meeting

    Identify roles and responsibilities for your change management team

    Business System Owner

    • Provides downtime window(s)
    • Advises on need for change (prior to creation of RFC)
    • Validates change (through UAT or other validation as necessary)
    • Provides approval for expedited changes (needs to be at executive level)

    Technical Subject Matter Expert (SME)

    • Advises on proposed changes prior to RFC submission
    • Reviews draft RFC for technical soundness
    • Assesses backout/rollback plan
    • Checks if knowledgebase has been consulted for prior lessons learned
    • Participates in the PIR, if necessary
    • Ensures that the service desk is trained on the change

    CAB

    • Approves/rejects RFCs for normal changes
    • Reviews lessons learned from PIRs
    • Decides on the scope of change management
    • Reviews metrics and decides on remedial actions
    • Considers changes to be added to list of pre-approved changes
    • Communicates to organization about upcoming changes

    Change Manager

    • Reviews RFCs for completeness
    • Ensures RFCs brought to the CAB have a high chance of approval
    • Chairs CAB meetings, including scheduling, agenda preparation, reporting, and follow-ups
    • Manages post-implementation reviews and reporting
    • Organizes internal communications (within IT)

    2.1.1 Capture Roles and Responsibilities Using a RACI Chart

    Input

    • Current SOP

    Output

    • Documented roles and responsibilities in change management in a RACI chart

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. As a group, work through developing a RACI chart to determine the roles and responsibilities of individuals involved in the change management practice based on the following criteria:
      • Responsible (performs the work)
      • Accountable (ensures the work is done)
      • Consulted (two-way communication)
      • Informed (one-way communication)
    2. Record your results in slide 14 of the Project Summary Template and section 3.1 of your Change Management SOP.
    Change Management TasksOriginatorSystem OwnerChange ManagerCAB MemberTechnical SMEService DeskCIO/ VP ITE-CAB Member
    Review the RFC C C A C R C R  
    Validate changes C C A C R C R  
    Assess test plan A C R R C   I  
    Approve the RFC I C A R C   I  
    Create communications plan R I A     I I  
    Deploy communications plan I I A I   R    
    Review metrics   C A R   C I  
    Perform a post implementation review   C R A     I  
    Review lessons learned from PIR activities     R A   C    

    Designate a Change Manager to own the process, change templates, and tools

    The Change Manager will be the point of contact for all process questions related to change management.

    • The Change Manager needs the authority to reject change requests, regardless of the seniority of the requester.
    • The Change Manager needs the authority to enforce compliance to a standard process.
    • The Change Manager needs enough cross-functional subject-matter expertise to accurately evaluate the impact of change from both an IT and business perspective.

    Info-Tech Best Practice

    Some organizations will not be able to assign a dedicated Change Manager, but they must still task an individual with change review authority and with ownership of the risk assessment and other key parts of the process.

    Responsibilities

    1. The Change Manager is your first stop for change approval. Both the change management and release and deployment management processes rely on the Change Manager to function.
    2. Every single change that is applied to the live environment, from a single patch to a major change, must originate with a request for change (RFC), which is then approved by the Change Manager to proceed to the CAB for full approval.
    3. Change templates and tools, such as the change calendar, list of preapproved changes, and risk assessment template are controlled by the Change Manager.
    4. The Change Manager also needs to have ownership over gathering metrics and reports surrounding deployed changes. A skilled Change Manager needs to have an aptitude for applying metrics for continual improvement activities.

    2.1.2 Document Your Change Manager’s Responsibilities

    Input

    • Current Change Manager job description (if available)

    Output

    • Change Manager job description and list of responsibilities

    Materials

    • Whiteboard/flip charts (or shared screen if working remotely)
    • Markers/pens
    • Info-Tech’s Change Manager Job Description
    • Change Management SOP

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    1.Using the previous slide, Info-Tech’s Change Manager Job Description, and the examples below, brainstorm responsibilities for the Change Manager.

    2.Record the responsibilities in Section 3.2 of your Change Management SOP.

    Example:

    Change Manager: James Corey

    Responsibilities

    1. Own the process, tools, and templates.
    2. Control the Change Management SOP.
    3. Provide standard RFC forms.
    4. Distribute RFCs for CAB review.
    5. Receive all initial RFCs and check them for completion.
    6. Approve initial RFCs.
    7. Approve pre-approved changes.
    8. Approve the conversion of normal changes to pre-approved changes.
    9. Assemble the Emergency CAB (E-CAB) when emergency change requests are received.
    10. Approve submission of RFCs for CAB review.
    11. Chair the CAB:
      • Set the CAB agenda and distribute it at least 24 hours before the meeting.
      • Ensure the agenda is adhered to.
      • Make the final approval/prioritization decision regarding a change if the CAB is deadlocked and cannot come to an agreement.
      • Distribute CAB meeting minutes to all members and relevant stakeholders.

    Download the Change Manager Job Description

    Create a Change Advisory Board (CAB) to provide process governance

    The primary functions of the CAB are to:

    1. Protect the live environment from poorly assessed, tested, and implemented changes.
      • CAB approval is required for all normal and emergency changes.
      • If a change results in an incident or outage, the CAB is effectively responsible; it’s the responsibility of the CAB to assess and accept the potential impact of every change.
    2. Prioritize changes in a way that fairly reflects change impact and urgency.
      • Change requests will originate from multiple stakeholders, some of whom have competing interests.
      • It’s up to the CAB to prioritize these requests effectively so that business need is balanced with any potential risk to the infrastructure.
      • The CAB should seek to reduce the number of emergency/expedited changes.
    3. Schedule deployments in a way that minimizes conflict and disruption.
      • The CAB uses a change calendar populated with project work, upcoming organizational initiatives, and change freeze periods. They will schedule changes around these blocks to avoid disrupting user productivity.
      • The CAB should work closely with the release and deployment management teams to coordinate change/release scheduling.

    See what responsibilities in the CAB’s process are already performed by the DevOps lifecycle (e.g. authorization, deconfliction etc.). Do not duplicate efforts.

    Use diverse representation from the business to form an effective CAB

    The CAB needs insight into all areas of the business to avoid approving a high-risk change.

    Based on the core responsibilities you have defined, the CAB needs to be composed of a diverse set of individuals who provide quality:

    • Change need assessments – identifying the value and purpose of a proposed change.
    • Change risk assessments – confirmation of the technical impact and likelihood assessments that lead to a risk score, based on the inputs in RFC.
    • Change scheduling – offer a variety of perspectives and responsibilities and will be able to identify potential scheduling conflicts.
     CAB RepresentationValue Added
    Business Members
    • CIO
    • Business Relationship Manager
    • Service Level Manager
    • Business Analyst
    • Identify change blackout periods, change impact, and business urgency.
    • Assess impact on fiduciary, legal, and/or audit requirements.
    • Determine acceptable business risk.
    IT Operations Members
    • Managers representing all IT functions
    • IT Directors
    • Subject Matter Experts (SMEs)
    • Identify dependencies and downstream impacts.
    • Identify possible conflicts with pre-existing OLAs and SLAs.
    CAB Attendees
    • Specific SMEs, tech specialists, and business and vendor reps relevant to a particular change
    • Only attend meetings when invited by the Change Manager
    • Provide detailed information and expertise related to their particular subject areas.
    • Speak to requirements, change impact, and cost.

    Info-Tech Best Practice

    Form a core CAB (members attend every week) and an optional CAB (members who attend only when a change impacts them or when they can provide value in discussions about a change). This way, members can have their voice heard without spending every week in a meeting where they do not contribute.

    2.1.3 Define the Authority and Responsibilities of Your CAB

    Input

    • Current SOP or CAB charter (if available)

    Output

    • Documented list of CAB authorities and responsibilities

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    1.Using the previous slide and the examples below, list the authorities and responsibilities of your CAB.

    2.Record the responsibilities in section 3.3.2 of your Change Management SOP and the Project Summary Template.

    Example:

    CAP AuthorityCAP Responsibilities
    • Final authority over the deployment of all normal and emergency changes.
    • Authority to absorb the risk of a change.
    • Authority to set the change calendar:
      • Maintenance windows.
      • Change freeze periods.
      • Project work.
      • Authority to delay changes.
    • Evaluate all normal and emergency changes.
    • Verify all normal change test, backout, and implementation plans.
    • Verify all normal change test results.
    • Approve all normal and emergency changes.
    • Prioritize all normal changes.
    • Schedule all normal and emergency changes.
    • Review failed change deployments.

    Establish an emergency CAB (E-CAB) protocol

    • When an emergency change request is received, you will not be able to wait until the regularly scheduled CAB meeting.
    • As a group, decide who will sit on the E-CAB and what their protocol will be when assessing and approving emergency changes.

    Change owner conferences with E-CAB (best efforts to reach them) through email or messaging.

    E-CAB members and business system owners are provided with change details. No decision is made without feedback from at least one E-CAB member.

    If business continuity is being affected, the Change Manager has authority to approve change.

    Full documentation of the change (a retroactive RFC) is done after the change and is then reviewed by the CAB.

    Info-Tech Best Practice

    Members of the E-CAB should be a subset of the CAB who are typically quick to respond to their messages, even at odd hours of the night.

    2.1.4 Determine an E-CAB Protocol for Your Organization

    Input

    • Current SOP or CAB charter (if available)

    Output

    • E-CAB protocol

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. Gather the members of the E-CAB and other necessary representatives from the change management team.
    2. Determine the order of operations for the E-CAB in the event that an emergency change is needed.
    3. Consult the example emergency protocol below. Determine what roles and responsibilities are involved at each stage of the emergency change’s implementation.
    4. Document the E-CAB protocol in section 3.4 of your Change Management SOP.

    Example

    Assemble E-CAB

    Assess Change

    Test (if Applicable)

    Deploy Change

    Create Retroactive RFC

    Review With CAB

    Step 2.2

    Build Core Workflows

    Activities

    2.2.1 Build a CMDB-lite as a Reference for Requested Changes

    2.2.2 Create a Normal Change Process

    2.2.3 Create a Pre-Approved Change Process

    2.2.4 Create an Emergency Change Process

    Establish Roles and Workflows

    Step 2.1: Determine Roles and Responsibilities → Step 2.2: Build Core Workflows

    This step involves the following participants:

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    Outcomes of this step

    • Emergency change workflow
    • Normal process workflow
    • Pre-approved change workflow

    Establishing Workflows: Change Management Lifecycle

    Improve

    • A post-implementation review assesses the value of the actual change measured against the proposed change in terms of benefits, costs, and impact.
    • Results recorded in the change log.
    • Accountability: Change Manager Change Implementer

    Request

    • A change request (RFC) can be submitted via paper form, phone, email, or web portal.
    • Accountability: Change requester/Initiator

    Assess

    • The request is screened to ensure it meets an agreed-upon set of business criteria.
    • Changes are assessed on:
      • Impact of change
      • Risks or interdependencies
      • Resourcing and costs
    • Accountability: Change Manager

    Plan

    • Tasks are assigned, planned, and executed.
    • Change schedule is consulted and necessary resources are identified.
    • Accountability: Change Manager

    Approve

    • Approved requests are sent to the most efficient channel based on risk, urgency, and complexity.
    • Change is sent to CAB members for final review and approval
    • Accountability: Change Manager
      • Change Advisory Board

    Implement

    • Approved changes are deployed.
    • A rollback plan is created to mitigate risk.
    • Accountability: Change Manager Change Implementer

    Establishing workflows: employ a SIPOC model for process definition

    A good SIPOC (supplier, input, process, output, customer) model helps establish the boundaries of each process step and provides a concise definition of the expected outcomes and required inputs. It’s a useful and recommended next step for every workflow diagram.

    For change management, employ a SIPOC model to outline your CAB process:

    Supplier

    • Who or what organization provides the inputs to the process? The supplier can be internal or external.

    Input

    • What goes into the process step? This can be a document, data, information, or a decision.

    Process

    • Activities that occur in the process step that’s being analyzed.

    Output

    • What does the process step produce? This can be a document, data, information, or a decision.

    Customer

    • Who or what organization(s) takes the output of the process? The customer can be internal or external.

    Optional Fields

    Metrics

    • Top-level indicators that usually relate to the input and output, e.g. turnaround time, risk matrix completeness.

    Controls

    • Checkpoints to ensure process step quality.

    Dependencies

    • Other process steps that require the output.

    RACI

    • Those who are Responsible, Accountable, Consulted, or Informed (RACI) about the input, output, and/or process.

    Establish change workflows: assess requested changes to identify impact and dependencies

    An effective change assessment workflow is a holistic process that leaves no stone unturned in an effort to mitigate risk before any change reaches the approval stage. The four crucial areas of risk in a change workflow are:

    Dependencies

    Identify all components of the change.

    Ask how changes will affect:

    • Services on the same infrastructure?
    • Applications?
    • Infrastructure/app architecture?
    • Security?
    • Ability to support critical systems?

    Business Impact

    Frame the change from a business point of view to identify potential disruptions to business activities.

    Your assessment should cover:

    • Business processes
    • User productivity
    • Customer service
    • BCPs

    SLA Impact

    Each new change can impact the level of service available.

    Examine the impact on:

    • Availability of critical systems
    • Infrastructure and app performance
    • Infrastructure and app capacity
    • Existing disaster recovery plans and procedures

    Required Resources

    Once risk has been assessed, resources need to be identified to ensure the change can be executed.

    These include:

    • People (SMEs, tech support, work effort/duration)
    • System time for scheduled implementation
    • Hardware or software (new or existing, as well as tools)

    Establishing workflows: pinpoint dependencies to identify the need for additional changes

    An assessment of each change and a query of the CMDB needs to be performed as part of the change planning process to mitigate outage risk.

    • A version upgrade on one piece of software may require another component to be upgraded as well. For example, an upgrade to the database management system requires that an application that uses the database be upgraded or modified.
    • The sequence of the release must also be determined, as certain components may need to be upgraded before others. For example, if you upgrade the Exchange Server, a Windows update must be installed prior to the Exchange upgrade.
    • If you do not have a CMDB, consider building a CMDB-lite, which consists of a listing of systems, primary users, SMEs, business owners, and system dependencies (see next slide).

    Services Impacted

    • Have affected services been identified?
    • Have supporting services been identified?
    • Has someone checked the CMDB to ensure all dependencies have been accounted for?
    • Have we referenced the service catalog so the business approves what they’re authorizing?

    Technical Teams Impacted

    • Who will support the change throughout testing and implementation?
    • Will additional support be needed?
    • Do we need outside support from eternal suppliers?
    • Has someone checked the contract to ensure any additional costs have been approved?

    Build a dependency matrix to avoid change related collisions (optional)

    A CMDB-lite does not replace a CMDB but can be a valuable tool to leverage when requesting changes if you do not currently have configuration management. Consider the following inputs when building your own CMDB-lite.

    • System
      • To build a CMDB-lite, start with the top 10 systems in your environment that experience changes. This list can always be populated iteratively.
    • Primary Users
      • Listing the primary users will give a change requester a first glance at the impact of the change.
      • You can also use this information when looking at the change communication and training after the change is implemented.
    • SME/Backup
      • These are the staff that will likely build and implement the change. The backup is listed in case the primary is on holiday.
    • Business System Owner
      • The owner of the system is one of the people needed to sign off on the change. Having their support from the beginning of a change is necessary to build and implement it successfully.
    • Tier 1 Dependency
      • If the primary system experiences and outage, Tier 1 dependency functionality is also lost. To request a change, include the business system owner signoffs of the Tier 1 dependencies of the primary system.
    • Tier 2 Dependency
      • If the primary system experiences an outage, Tier 2 dependency functionality is lost, but there is an available workaround. As with Tier 1, this information can help you build a backout plan in case there is a change-related collision.
    • Tier 3 Dependency
      • Tier 3 functionality is not lost if the primary system experiences an outage, but nice-to-haves such as aesthetics are affected.

    2.2.1 Build a CMDB-lite as a Reference for Requested Changes

    Input

    • Current system ownership documentation

    Output

    • Documented reference for change requests (CMDB-lite)

    Materials

    • Whiteboard/flip charts (or shared screen if working remotely)
    • Sticky notes
    • Markers/pens

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. Start with a list of your top 10-15 systems/services with the highest volume of changes.
    2. Using a whiteboard, flip chart, or shared screen, complete the table below by filling the corresponding Primary Users, SMEs, Business System Owner, and Dependencies as shown below. It may help to use sticky notes.
    3. Iteratively populate the table as you notice gaps with incoming changes.
    SystemPrimary UsersSMEBackup SME(s)Business System OwnerTier 1 Dependency (system functionality is down)Tier 2 (impaired functionality/ workaround available)Tier 3 Dependency (nice to have)
    Email Enterprise Naomi Amos James
    • ITSMs
    • Scan-to-email
    • Reporting
     
    • Lots
    Conferencing Tool Enterprise Alex Shed James
    • Videoconferencing
    • Conference rooms (can use Facebook messenger instead in worst case scenario)
    • IM
    ITSM (Service Now) Enterprise (Intl.) Anderson TBD Mike
    • Work orders
    • Dashboards
    • Purchasing
     
    ITSM (Manage Engine) North America Bobbie Joseph Mike
    • Work orders
    • Dashboards
    • Purchasing
     

    Establishing workflows: create standards for change approvals to improve efficiency

    • Not all changes are created equal, and not all changes require the same degree of approval. As part of the change management process, it’s important to define who is the authority for each type of change.
    • Failure to do so can create bureaucratic bottlenecks if each change is held to an unnecessary high level of scrutiny, or unplanned outages may occur due to changes circumventing the formal approval process.
    • A balance must be met and defined to ensure the process is not bypassed or bottlenecked.

    Info-Tech Best Practice

    Define a list pre-approved changes and automate them (if possible) using your ITSM solution. This will save valuable time for more important changes in the queue.

    Example:

    Change CategoryChange Authority
    Pre-approved change Department head/manager
    Emergency change E-CAB
    Normal change – low and medium risk CAB
    Normal change – high risk CAB and CIO (for visibility)

    Example process: Normal Change – Change Initiation

    Change initiation allows for assurance that the request is in scope for change management and acts as a filter for out-of-scope changes to be redirected to the proper workflow. Initiation also assesses who may be assigned to the change and the proper category of the change, and results in an RFC to be populated before the change reaches the build and test phase.

    The image is a horizontal flow chart, depicting an example of a change process.

    The change trigger assessment is critical in the DevOps lifecycle. This can take a more formal role of a technical review board (TRB) or, with enough maturity, may be automated. Responsibilities such as deconfliction, dependency identification, calendar query, and authorization identification can be done early in the lifecycle to decrease or eliminate the burden on CAB.

    For the full process, refer to the Change Management Process Library.

    Example process: Normal Change – Technical Build and Test

    The technical build and test stage includes all technical prerequisites and testing needed for a change to pass before proceeding to approval and implementation. In addition to a technical review, a solution consisting of the implementation, rollback, communications, and training plan are also built and included in the RFC before passing it to the CAB.

    The image is a flowchart, showing the process for change during the technical build and test stage.

    For the full process, refer to the Change Management Process Library.

    Example process: Normal Change – Change Approval (CAB)

    Change approval can start with the Change Manager reviewing all incoming RFCs to filter them for completeness and check them for red flags before passing them to the CAB. This saves the CAB from discussing incomplete changes and allows the Change Manager to set a CAB agenda before the CAB meeting. If need be, change approval can also set vendor communications necessary for changes, as well as the final implementation date of the change. The CAB and Change Manager may follow up with the appropriate parties notifying them of the approval decision (accepted, rescheduled, or rejected).

    The image shows a flowchart illustrating the process for change approval.

    For the full process, refer to the Change Management Process Library.

    Example process: Normal Change – Change Implementation

    Changes should not end at implementation. Ensure you define post-implementation activities (documentation, communication, training etc.) and a post-implementation review in case the change does not go according to plan.

    The image is a flowchart, illustrating the work process for change implementation and post-implementation review.

    For the full process, refer to the Change Management Process Library.

    2.2.2 Create a Normal Change Process

    Input

    • Current SOP/workflow library

    Output

    • Normal change process

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. Gather representatives from the change management team.
    2. Using the examples shown on the previous few slides, work as a group to determine the workflow for a normal change, with particular attention to the following sub-processes:
      1. Request
      2. Assessment
      3. Plan
      4. Approve
      5. Implementation and Post-Implementation Activities
    3. Optionally, you may create variations of the workflow for minor, medium, and major changes (e.g. there will be fewer authorizations for minor changes).
    4. For further documentation, you may choose to run the SIPOC activity for your CAB as outlined on this slide.
    5. Document the resulting workflows in the Change Management Process Library and section 11 of your Change Management SOP.

    Download the Change Management Process Library.

    Identify and convert low-risk normal changes to pre-approved once the process is established

    As your process matures, begin creating a list of normal changes that might qualify for pre-approval. The most potential for value in gains from change management comes from re-engineering and automating of high-volume changes. Pre-approved changes should save you time without threatening the live environment.

    IT should flag changes they would like pre-approved:

    • Once your change management process is firmly established, hold a meeting with all staff that make change requests and build changes.
    • Run a training session detailing the traits of pre-approved changes and ask these individuals to identify changes that might qualify.
    • These changes should be submitted to the Change Manager and reviewed, with the help of the CAB, to decide whether or not they qualify for pre-approval.

    Pre-approved changes are not exempt from due diligence:

    • Once a change is designated as pre-approved, the deployment team should create and compile all relevant documentation:
      • An RFC detailing the change, dependencies, risk, and impact.
      • Detailed procedures and required resources.
      • Implementation and backout plan.
      • Test results.
    • When templating the RFC for pre-approved changes, aim to write the documentation as if another SME were to implement it. This reduces confusion, especially if there’s staff turnover.
    • The CAB must approve, sign off, and keep a record of all documents.
    • Pre-approved changes must still be documented and recorded in the CMDB and change log after each deployment.

    Info-Tech Best Practice

    At the beginning of a change management process, there should be few active pre-approved changes. However, prior to launch, you may have IT flag changes for conversion.

    Example process: Pre-Approved Change Process

    The image shows two horizontal flow charts, the first labelled Pre-Approval of Recurring RFC, and the second labelled Implementation of Child RFC.

    For the full process, refer to the Change Management Process Library.

    Review the pre-approved change list regularly to ensure the list of changes are still low-risk and repeatable.

    IT environments change. Don’t be caught by surprise.

    • Changes which were once low-risk and repeatable may cause unforeseen incidents if they are not reviewed regularly.
    • Dependencies change as the IT environment changes. Ensure that the changes on the pre-approved change list are still low-risk and repeatable, and that the documentation is up to date.
    • If dependencies have changed, then move the change back to the normal category for reassessment. It may be redesignated as a pre-approved change once the documentation is updated.

    Info-Tech Best Practice

    Other reasons for moving a pre-approved change back to the normal category is if the change led to an incident during implementation or if there was an issue during implementation.

    Seek new pre-approved change submissions. → Re-evaluate the pre-approved change list every 4-6 months.

    The image shows a horizontal flow chart, depicting the process for a pre-approved change list review.

    For the full process, refer to the Change Management Process Library.

    2.2.3 Create a Pre-Approved Change Process

    Input

    • Current SOP/workflow library

    Output

    • Pre-approved change process

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. Gather representatives from the change management team.
    2. Using the examples shown on the previous few slides, work as a group to determine the workflow for a pre-approved change, with particular attention to the following sub-processes:
      1. Request
      2. Assessment
      3. Plan
      4. Approve
    3. Document the process of a converting a normal change to pre-approved. Include the steps from flagging a low-risk change to creating the related RFC template.
    4. Document the resulting workflows in the Change Management Process Library and sections 4.2 and 13 of your Change Management SOP.

    Reserve the emergency designation for real emergencies

    • Emergency changes have one of the following triggers:
      • A critical incident is impacting user productivity.
      • An imminent critical incident will impact user productivity.
    • Unless a critical incident is being resolved or prevented, the change should be categorized as normal.
    • An emergency change differs from a normal change in the following key aspects:
      • An emergency change is required to recover from a major outage – there must be a validated service desk critical incident ticket.
      • An urgent business requirement is not an “emergency.”
      • An RFC is created after the change is implemented and the outage is over.
      • A review by the full CAB occurs after the change is implemented.
      • The first responder and/or the person implementing the change may not be the subject matter expert for that system.
    • In all cases, an RFC must be created and the change must be reviewed by the full CAB. The review should occur within two business days of the event.
    Sample ChangeQuick CheckEmergency?
    Install the latest critical patches from the vendor. Are the patches required to resolve or prevent an imminent critical incident? No
    A virus or worm invades the network and a patch is needed to eliminate the threat. Is the patch required to resolve or prevent an imminent critical incident? Yes

    Info-Tech Best Practice

    Change requesters should be made aware that senior management will be informed if an emergency RFC is submitted inappropriately. Emergency requests trigger urgent CAB meetings, are riskier to deploy, and delay other changes waiting in the queue.

    Example process: Emergency Change Process

    The image is a flowchart depicting the process for an emergency change process

    When building your emergency change process, have your E-CAB protocol from activity 2.1.4 handy.

    • Focus on the following requirements for an emergency process:
      • E-CAB protocol and scope: Does the SME need authorization first before working on the change or can the SME proceed if no E-CAB members respond?
      • Documentation and communication to stakeholders and CAB after the emergency change is completed.
      • Input from incident management.

    For the full process, refer to the Change Management Process Library.

    2.2.4 Create an Emergency Change Process

    Input

    • Current SOP/workflow library

    Output

    • Emergency change process

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. Gather representatives from the change management team.
    2. Using the examples shown on the previous few slides, work as a group to determine the workflow for an emergency change, with particular attention to the following sub-processes:
      1. Request
      2. Assessment
      3. Plan
      4. Approve
    3. Ensure that the E-CAB protocol from activity 2.1.4 is considered when building your process.
    4. Document the resulting workflows in the Change Management Process Library and section 12 of your Change Management SOP.

    Case Study (part 2 of 4)

    Intel implemented a robust change management process.

    Industry: Technology

    Source: Daniel Grove, Intel

    Challenge

    Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.

    Intel IT supports over 65,000 servers, 3.2 petabytes of data, over 70,000 PCs, and 2.6 million emails per day.

    Intel’s change management program is responsible for over 4,000 changes each week.

    Solution

    Intel identified 37 different change processes and 25 change management systems of record with little integration.

    Software and infrastructure groups were also very siloed, and this no doubt contributed to the high number of changes that caused outages.

    The task was simple: standards needed to be put in place and communication had to improve.

    Results

    Once process ownership was assigned and the role of the Change Manager and CAB clarified, it was a simple task to streamline and simplify processes among groups.

    Intel designed a new, unified change management workflow that all groups would adopt.

    Automation was also brought into play to improve how RFCs were generated and submitted.

    Phase 3

    Define the RFC and Post-Implementation Activities

    Define Change Management

    1.1 Assess Maturity

    1.2 Categorize Changes and Build Your Risk Assessment

    Establish Roles and Workflows

    2.1 Determine Roles and Responsibilities

    2.2 Build Core Workflows

    Define the RFC and Post-Implementation Activities

    3.1 Design the RFC

    3.2 Establish Post-Implementation Activities

    Measure, Manage, and Maintain

    4.1 Identify Metrics and Build the Change Calendar

    4.2 Implement the Project

    This phase will guide you through the following activities:

    • Design the RFC
    • Establish Post-Implementation Activities

    This phase involves the following participants:

    • IT Director
    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board

    Step 3.1

    Design the RFC

    Activities

    3.1.1 Evaluate Your Existing RFC Process

    3.1.2 Build the RFC Form

    Define the RFC and Post-Implementation Activities

    Step 3.1: Design the RFC

    Step 3.2: Establish Post-Implementation Activities

    This step involves the following participants:

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    Outcomes of this step

    • A full RFC template and process that compliments the workflows for the three change categories

    A request for change (RFC) should be submitted for every non-standard change

    An RFC should be submitted through the formal change management practice for every change that is not a standard, pre-approved change (a change which does not require submission to the change management practice).

    • The RFC should contain all the information required to approve a change. Some information will be recorded when the change request is first initiated, but not everything will be known at that time.
    • Further information can be added as the change progresses through its lifecycle.
    • The level of detail that goes into the RFC will vary depending on the type of change, the size, and the likely impact of the change.
    • Other details of the change may be recorded in other documents and referenced in the RFC.

    Info-Tech Insight

    Keep the RFC form simple, especially when first implementing change management, to encourage the adoption of and compliance with the process.

    RFCs should contain the following information, at a minimum:

    1. Contact information for requester
    2. Description of change
    3. References to external documentation
    4. Items to be changed, reason for the change, and impact of both implementing and not implementing the change
    5. Change type and category
    6. Priority and risk assessment
    7. Predicted time frame, resources, and cost
    8. Backout or remediation plan
    9. Proposed approvers
    10. Scheduled implementation time
    11. Communications plan and post-implementation review

    3.1.1 Evaluate Your Existing RFC Process

    Input

    • Current RFC form or stock ITSM RFC
    • Current SOP (if available)

    Output

    • List of changes to the current RFC form and RFC process

    Materials

    Participants

    • IT Director
    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board
    1. If the organization is already using an RFC form, review it as a group now and discuss its contents:
      • Does this RFC provide adequate information for the Change Manager and/or CAB to review?
      • Should any additional fields be added?
    2. Show the participants Info-Tech’s Request for Change Form Template and compare it to the one the organization is currently using.
    3. As a group, finalize an RFC table of contents that will be used to formalize a new or improved RFC.
    4. Decide which fields should be filled out by the requester before the initial RFC is submitted to the Change Manager:
      • Many sections of the RFC are relevant for change assessment and review. What information does the Change Manager need when they first receive a request?
      • The Change Manager needs enough information to ensure that the change is in scope and has been properly categorized.
    5. Decide how the RFC form should be submitted and reviewed; this can be documented in section 5 of your Change Management SOP.

    Download the Request for Change Form Template.

    Design the RFC to encourage process buy-in

    • When building the RFC, split the form up into sections that follow the normal workflow (e.g. Intake, Assessment and Build, Approval, Implementation/PIR). This way the form walks the requester through what needs to be filled and when.
    • Revisit the form periodically and solicit feedback to continually improve the user experience. If there’s information missing on the RFC that the CAB would like to know, add the fields. If there are sections that are not used or not needed for documentation, remove them.
    • Make sure the user experience surrounding your RFC form is a top priority – make it accessible, otherwise change requesters simply will not use it.
    • Take advantage of your ITSM’s dropdown lists, automated notifications, CMDB integrations, and auto-generated fields to ease the process of filling the RFC

    Draft:

    • Change requester
    • Requested date of deployment
    • Change risk: low/medium/high
    • Risk assessment
    • Description of change
    • Reason for change
    • Change components

    Technical Build:

    • Assess change:
      • Dependencies
      • Business impact
      • SLA impact
      • Required resources
      • Query the CMS
    • Plan and test changes:
      • Test plan
      • Test results
      • Implementation plan
      • Backout plan
      • Backout plan test results

    CAB:

    • Approve and schedule changes:
      • Final CAB review
      • Communications plan

    Complete:

    • Deploy changes:
      • Post-implementation review

    Designing your RFC: RFC draft

    • Change requester – link your change module to the active directory to pull the change requester’s contact information automatically to save time.
    • A requested date of deployment gives approvers information on timeline and can be used to query the change calendar for possible conflicts
    • Information about risk assessment based on impact and likelihood questionnaires are quick to fill out but provide a lot of information to the CAB. The risk assessment may not be complete at the draft stage but can be updated as the change is built. Ensure this field is up-to- date before it reaches CAB.
    • If you have a technical review stage where changes are directed to the proper workflow and resourcing is assessed, the description, reason, and change components are high-level descriptors of the change that will aid in discovery and lining the change up with the business vision (viability from both a technical and business standpoint).
    • Change requester
    • Requested date of deployment
    • Change Risk: low/medium/high
    • Risk assessment
    • Description of change
    • Reason for change
    • Change components

    Use the RFC to point to documentation already gathered in the DevOps lifecycle to cut down on unnecessary manual work while maintaining compliance.

    Designing your RFC: technical build

    • Dependencies and CMDB query, along with the proposed implementation date, are included to aid in calendar deconfliction and change scheduling. If there’s a conflict, it’s easier to reschedule the proposed change early in the lifecycle.
    • Business, SLA impact, and required resources can be tracked to provide the CAB with information on the business resources required. This can also be used to prioritize the change if conflicts arise.
    • Implementation, test, and backout plans must be included and assessed to increase the probability that a change will be implemented without failure. It’s also useful in the case of PIRs to determine root causes of change-related incidents.
    • Assess change:
      • Dependencies
      • Business impact
      • SLA impact
      • Required resources
      • Query the CMS
    • Plan and test changes:
      • Test plan
      • Test results
      • Implementation plan
      • Backout plan
      • Backout plan test results

    Designing your RFC: approval and deployment

    • Documenting approval, rejection, and rescheduling gives the change requester the go-ahead to proceed with the change, rationale on why it was prioritized lower than another change (rescheduled), or rationale on rejection.
    • Communications plans for appropriate stakeholders can also be modified and forwarded to the communications team (e.g. service desk or business system owners) before deployment.
    • Post-implementation activities and reviews can be conducted if need be before a change is closed. The PIR, if filled out, should then be appended to any subsequent changes of the same nature to avoid making the same mistake twice.
    • Approve and schedule changes:
      • Final CAB review
      • Communications plan
    • Deploy changes:
      • Post-implementation review

    Standardize the request for change protocol

    1. Submission Standards
      • Electronic submission will make it easier for CAB members to review the documentation.
      • As the change goes through the assessment, plan, and test phase, new documentation (assessments, backout plans, test results, etc.) can be attached to the digital RFC for review by CAB members prior to the CAB meeting.
      • Change management software won’t be necessary to facilitate the RFC submission and review; a content repository system, such as SharePoint, will suffice.
    2. Designate the first control point
      • All RFCs should be submitted to a single point of contact.
      • Ideally, the Change Manager or Technical Review Board should fill this role.
      • Whoever is tasked with this role needs the subject matter expertise to ensure that the change has been categorized correctly, to reject out-of-scope requests, or to ask that missing information be provided before the RFC moves through the full change management practice.

    Info-Tech Best Practice

    Technical and SME contacts should be noted in each RFC so they can be easily consulted during the RFC review.

    3.1.2 Build the RFC Form

    Input

    • Current RFC form or stock ITSM RFC
    • Current SOP (if available)

    Output

    • List of changes to the current RFC and RFC process

    Materials

    Participants

    • IT Director
    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board
    1. Use Info-Tech’s Request for Change Form Template as a basis for your RFC form.
    2. Use this template to standardize your change request process and ensure that the appropriate information is documented effectively each time a request is made. The change requester and Change Manager should consolidate all information associated with a given change request in this form. This form will be submitted by the change requester and reviewed by the Change Manager.

    Case Study (part 3 of 4)

    Intel implemented automated RFC form generation.

    Industry: Technology

    Source: Daniel Grove, Intel

    Challenge

    Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.

    Intel IT supports over 65,000 servers, 3.2 petabytes of data, over 70,000 PCs, and 2.6 million emails per day.

    Intel’s change management program is responsible for over 4,000 changes each week.

    Solution

    One of the crucial factors that was impacting Intel’s change management efficiency was a cumbersome RFC process.

    A lack of RFC usage was contributing to increased ad hoc changes being put through the CAB, and rescheduled changes were quite high.

    Additionally, ad hoc changes were also contributing heavily to unscheduled downtime within the organization.

    Results

    Intel designed and implemented an automated RFC form generator to encourage end users to increase RFC usage.

    As we’ve seen with RFC form design, the UX/UI of the form needs to be top notch, otherwise end users will simply circumvent the process. This will contribute to the problems you are seeking to correct.

    Thanks to increased RFC usage, Intel decreased emergency changes by 50% and reduced change-caused unscheduled downtime by 82%.

    Step 3.2

    Establish Post-Implementation Activities

    Activities

    3.2.1 Determine When the CAB Would Reject Tested Changes

    3.2.2 Create a Post-Implementation Activity Checklist

    Define the RFC and Post-Implementation Activities

    Step 3.1: Design RFC

    Step 3.2: Establish Post-Implementation Activities

    This step involves the following participants:

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board

    Outcomes of this step

    • A formalized post-implementation process for continual improvement

    Why would the CAB reject a change that has been properly assessed and tested?

    Possible reasons the CAB would reject a change include:

    • The product being changed is approaching its end of life.
    • The change is too costly.
    • The timing of the change conflicts with other changes.
    • There could be compliance issues.
    • The change is actually a project.
    • The risk is too high.
    • There could be regulatory issues.
    • The peripherals (test, backout, communication, and training plans) are incomplete.

    Info-Tech Best Practice

    Many reasons for rejection (listed above) can be caught early on in the process during the technical review or change build portion of the change. The earlier you catch these reasons for rejection, the less wasted effort there will be per change.

    Sample RFCReason for CAP Rejection
    There was a request for an update to a system that a legacy application depends on and only a specific area of the business was aware of the dependency. The CAB rejects it due to the downstream impact.
    There was a request for an update to a non-supported application, and the vendor was asking for a premium support contract that is very costly. It’s too expensive to implement, despite the need for it. The CAB will wait for an upgrade to a new application.
    There was a request to update application functionality to a beta release. The risk outweighs the business benefits.

    Determine When the CAB Would Reject Tested Changes

    Input

    • Current SOP (if available)

    Output

    • List of reasons to reject tested changes

    Materials

    • Whiteboard/flip charts (or shared screen if working remotely)
    • Projector
    • Markers/pens
    • Laptop with ITSM admin access
    • Project Summary Template

    Participants

    • IT Director
    • Infrastructure Manager
    • Change Manager
    • Members of the Change Advisory Board

    Avoid hand-offs to ensure a smooth implementation process

    The implementation phase is the final checkpoint before releasing the new change into your live environment. Once the final checks have been made to the change, it’s paramount that teams work together to transition the change effectively rather than doing an abrupt hand-off. This could cause a potential outage.

    1.

    • Deployment resources identified, allocated, and scheduled
    • Documentation complete
    • Support team trained
    • Users trained
    • Business sign-off
    • Target systems identified and ready to receive changes
    • Target systems available for installation maintenance window scheduled
    • Technical checks:
      • Disk space available
      • Pre-requisites met
      • Components/Services to be updated are stopped
      • All users disconnected
    • Download Info-Tech’sChange Management Pre-Implementation Checklist

    Implement change →

    2.

    1. Verification – once the change has been implemented, verify that all requirements are fulfilled.
    2. Review – ensure that all affected systems and applications are operating as predicted. Update change log.
    3. Transition – a crucial phase of implementation that’s often overlooked. Once the change implementation is complete from a technical point of view, it’s imperative that the team involved with the change inform and train the group responsible for managing the new change.

    Create a backout plan to reduce the risk of a failed change

    Every change process needs to plan for the potential for failure and how to address it effectively. Change management’s solution to this problem is a backout plan.

    A backout plan needs to contain a record of the steps that need to be taken to restore the live environment back to its previous state and maintain business continuity. A good backout plan asks the following questions:

    1. How will failure be determined? Who will make the determination to back out of a change be made and when?
    2. Do we fix on fail or do we rollback to the previous configuration?
    3. Is the service desk aware of the impending change? Do they have proper training?

    Notify the Service Desk

    • Notify the Service Desk about backout plan initiation.

    Disable Access

    • Disable user access to affected system(s).

    Conduct Checks

    • Conduct checks to all affected components.

    Enable User Access

    • Enable user access to affected systems.

    Notify the Service Desk

    • Notify the service desk that the backout plan was successful.

    Info-Tech Best Practice

    As part of the backout plan, consider the turnback point in the change window. That is, the point within the change window where you still have time to fully back out of the change.

    Ensure the following post-implementation review activities are completed

    Service Catalog

    Update the service catalog with new information as a result of the implemented change.

    CMDB

    Update new dependencies present as a result of the new change.

    Asset DB

    Add notes about any assets newly affected by changes.

    Architecture Map

    Update your map based on the new change.

    Technical Documentation

    Update your technical documentation to reflect the changes present because of the new change.

    Training Documentation

    Update your training documentation to reflect any information about how users interact with the change.

    Use a post-implementation review process to promote continual improvement

    The post-implementation review (PIR) is the most neglected change management activity.

    • All changes should be reviewed to understand the reason behind them, appropriateness, and recommendations for next steps.
    • The Change Manager manages the completion of information PIRs and invites RFC originators to present their findings and document the lessons learned.

    Info-Tech Best Practice

    Review PIR reports at CAB meetings to highlight the root causes of issues, action items to close identified gaps, and back-up documentation required. Attach the PIR report to the relevant RFC to prevent similar changes from facing the same issues in the future.

    1. Why do a post-implementation review?
      • Changes that don’t fail but don’t perform well are rarely reviewed.
      • Changes may fail subtly and still need review.
      • Changes that cause serious failures (i.e. unplanned downtime) receive analysis that is unnecessarily in-depth.
    2. What are the benefits?
      • A proactive, post-implementation review actually uses less resources than reactionary change reviews.
      • Root-cause analysis of failed changes, no matter what the impact.
      • Insight into changes that took longer than projected.
      • Identification of previously unidentified risks affecting changes.

    Determine the strategy for your PIR to establish a standardized process

    Capture the details of your PIR process in a table similar to the one below.

    Frequency Part of weekly review (IT team meeting)
    Participants
    • Change Manager
    • Originator
    • SME/supervisor/impacted team(s)

    Categories under review

    Current deviations and action items from previous PIR:

    • Complete
    • Partially complete
    • Complete, late
    • Change failed, rollback succeeded
    • Change failed, rollback failed
    • Major deviation from implementation plan
    Output
    • Root cause or failure or deviation
    • External factors
    • Remediation focus areas
    • Remediation timeline (follow-up at appropriate time)
    Controls
    • Reviewed at next CAB meeting
    • RFC close is dependent on completion of PIR
    • Share with the rest of the technical team
    • Lessons learned stored in the knowledgebase and attached to RFC for easy search of past issues.

    3.2.2 Create a Post-Implementation Activity Checklist

    Input

    • Current SOP (if available)

    Output

    • List of reasons to reject tested changes

    Materials

    Participants

    • CIO
    • IT Managers
    • Change Manager
    • Members of the Change Advisory Board
    1. Gather representatives from the change management team.
    2. Brainstorm duties to perform following the deployment of a change. Below is a sample list:
      • Example:
        • Was the deployment successful?
          • If no, was the backout plan executed successfully?
        • List change-related incidents
        • Change assessment
          • Missed dependencies
          • Inaccurate business impact
          • Incorrect SLA impact
          • Inaccurate resources
            • Time
            • Staff
            • Hardware
        • System testing
        • Integration testing
        • User acceptance testing
        • No backout plan
        • Backout plan failure
        • Deployment issues
    3. Record your results in the Change Management Post-Implementation Checklist.

    Download the Change Management Post-Implementation Checklist

    Case Study

    Microsoft used post-implementation review activities to mitigate the risk of a critical Azure outage.

    Industry: Technology

    Source: Jason Zander, Microsoft

    Challenge

    In November 2014, Microsoft deployed a change intended to improve Azure storage performance by reducing CPU footprint of the Azure Table Front-Ends.

    The deployment method was an incremental approach called “flighting,” where software and configuration deployments are deployed incrementally to Azure infrastructure in small batches.

    Unfortunately, this software deployment caused a service interruption in multiple regions.

    Solution

    Before the software was deployed, Microsoft engineers followed proper protocol by testing the proposed update. All test results pointed to a successful implementation.

    Unfortunately, engineers pushed the change out to the entire infrastructure instead of adhering to the traditional flighting protocol.

    Additionally, the configuration switch was incorrectly enabled for the Azure Blob storage Front-Ends.

    A combination of the two mistakes exposed a bug that caused the outage.

    Results

    Thankfully, Microsoft had a backout plan. Within 30 minutes, the change was rolled back on a global scale.

    It was determined that policy enforcement was not integrated across the deployment system. An update to the system shifted the process of policy enforcement from human-based decisions and protocol to automation via the deployment platform.

    Defined PIR activities enabled Microsoft to take swift action against the outage and mitigate the risk of a serious outage.

    Phase 4

    Measure, Manage, and Maintain

    Define Change Management

    1.1 Assess Maturity

    1.2 Categorize Changes and Build Risk Assessment

    Establish Roles and Workflows

    2.1 Determine Roles and Responsibilities

    2.2 Build Core Workflows

    Define RFC and Post-Implementation Activities

    3.1 Design RFC

    3.2 Establish post-implementation activities

    Measure, Manage, and Maintain

    4.1 Identify Metrics and Build the Change Calendar

    4.2 Implement the Project

    This phase will guide you through the following activities:

    • Identify Metrics and Build the Change Calendar
    • Implement the Project

    This phase involves the following participants:

    • CIO/IT Director
    • IT Managers
    • Change Manager

    Step 4.1

    Identify Metrics and Build the Change Calendar

    Activities

    4.1.1 Create an Outline for Your Change Calendar

    4.1.2 Determine Metrics, Key Performance Indicators (KPIs), and Critical Success Factors (CSFs)

    4.1.3 Track and Record Metrics Using the Change Management Metrics Tool

    Measure, Manage, and Maintain

    Step 4.1: Identify Metrics and Build the Change Calendar

    Step 4.2: Implement the Project

    This step involves the following participants:

    • CIO/IT Director
    • IT Managers
    • Change Manager

    Outcomes of this step

    • Clear definitions of change calendar content
    • Guidelines for change calendar scheduling
    • Defined metrics to measure the success of change management with associated reports, KPIs, and CSFs

    Enforce a standard method of prioritizing and scheduling changes

    The impact of not deploying the change and the benefit of deploying it should determine its priority.

    Risk of Not Deploying

    • What is the urgency of the change?
    • What is the risk to the organization if the change is not deployed right away?
    • Will there be any lost productivity, service disruptions, or missed critical business opportunities?
      • Timing
        • Does the proposed timing work with the approved changes already on the change schedule?
        • Has the change been clash checked so there are no potential conflicts over services or resources?
      • Once prioritized, a final deployment date should be set by the CAB. Check the change calendar first to avoid conflicts.

    Positive Impact of Deployment

    • What benefits will be realized once the change is deployed?
    • How significant is the opportunity that triggered the change?
    • Will the change lead to a positive business outcome (e.g. increased sales)?

    “The one who has more clout or authority is usually the one who gets changes scheduled in the time frame they desire, but you should really be evaluating the impact to the organization. We looked at the risk to the business of not doing the change, and that’s a good way of determining the criticality and urgency of that change.” – Joseph Sgandurra, Director, Service Delivery, Navantis

    Info-Tech Insight

    Avoid a culture where powerful stakeholders are able to push change deployment on an ad hoc basis. Give the CAB the full authority to make approval decisions based on urgency, impact, cost, and availability of resources.

    Develop a change schedule to formalize the planning process

    A change calendar will help the CAB schedule changes more effectively and increase visibility into upcoming changes across the organization.

    1. Establish change windows in a consistent change schedule:
      • Compile a list of business units that would benefit from a change.
      • Look for conflicts in the change schedule.
      • Avoid scheduling two or more major business units in a day.
      • Consider clients when building your change windows and change schedule.
    2. Gain commitments from key participants:
      • These individuals can confirm if there are any unusual or cyclical business requirements that will impact the schedule.
    3. Properly control your change calendar to improve change efficiency:
      • Look at the proposed start and end times: Are they sensible? Does the implementation window leave time for anything going wrong or needing to roll back the change?
      • Special considerations: Are there special circumstances that need to be considered? Ask the business if you don’t know.
      • The key principle is to have a sufficient window available for implementing changes so you only need to set up calendar freezes for sound business or technical reasons.

    Our mantra is to put it on the calendar. Even if it’s a preapproved change and doesn’t need a vote, having it on the calendar helps with visibility. The calendar is the one-stop shop for scheduling and identifying change dependencies.“ – Wil Clark, Director of Service and Performance Management, University of North Texas Systems

    Provide clear definitions of what goes on the change calendar and who’s responsible

    Roles

    • The Change Manager will be responsible for creating and maintaining a change calendar.
    • Only the Change Manager can physically alter the calendar by adding a new change after the CAB has agreed upon a deployment date.
    • All other CAB members, IT support staff, and other impacted stakeholders should have access to the calendar on a read-only basis to prevent people from making unauthorized changes to deployment dates.

    Inputs

    • Freeze periods for individual business departments/applications (e.g. finance month-end periods, HR payroll cycle, etc. – all to be investigated).
    • Maintenance windows and planned outage periods.
    • Project schedules, and upcoming major/medium changes.
    • Holidays.
    • Business hours (some departments work 9-5, others work different hours or in different time zones, and user acceptance testing may require business users to be available).

    Guidelines

    • Business-defined freeze periods are the top priority.
    • No major or medium normal changes should occur during the week between Christmas and New Year’s Day.
    • Vendor SLA support hours are the preferred time for implementing changes.
    • The vacation calendar for IT will be considered for major changes.
    • Change priority: High > Medium > Low.
    • Minor changes and preapproved changes have the same priority and will be decided on a case-by-case basis.

    The change calendar is a critical pre-requisite to change management in DevOps. Use the calendar to be proactive with proposed implementation dates and deconfliction before the change is finished.

    4.1.1 Create Guidelines for Your Change Calendar

    Input

    • Current change calendar guidelines

    Output

    • Change calendar inputs and schedule checklist

    Materials

    Participants

    • Change Manager
    • Members of the Change Advisory Board
    • Service Desk Manager
    • Operations (optional)
    1. Gather representatives from the change management team.
      • Example:
        • The change calendar/schedule includes:
          • Approved and scheduled normal changes.
          • Scheduled project work.
          • Scheduled maintenance windows.
          • Change freeze periods with affected users noted:
            • Daily/weekly freeze periods.
            • Monthly freeze periods.
            • Annual freeze periods.
            • Other critical business events.
    2. Create a checklist to run through before each change is scheduled:
      • Check the schedule and assess resource availability:
        • Will user productivity be impacted?
        • Are there available resources (people and systems) to implement the change?
        • Is the vendor available? Is there a significant cost attached to pushing change deployment before the regularly scheduled refresh?
        • Are there dependencies? Does the deployment of one change depend on the earlier deployment of another?
    3. Record your results in your Project Summary Template.

    Start measuring the success of your change management project using three key metrics

    Number of change-related incidents that occur each month

    • Each month, record the number of incidents that can be directly linked to a change. This can be done using an ITSM tool or manually by service desk staff.
    • This is a key success metric: if you are not tracking change-related incidents yet, start doing so as soon as possible. This is the metric that the CIO and business stakeholders will be most interested in because it impacts users directly.

    Number of unauthorized changes applied each month

    • Each month, record the number of changes applied without approval. This is the best way to measure adherence to the process.
    • If this number decreases, it demonstrates a reduction in risk, as more changes are formally assessed and approved before being deployed.

    Percentage of emergency changes

    • Each month, compare the number of emergency change requests to the total number of change requests.
    • Change requesters often designate changes as emergencies as a way of bypassing the process.
    • A reduction in emergency changes demonstrates that your process is operating smoothly and reduces the risk of deploying changes that have not been properly tested.

    Info-Tech Insight

    Start simple. Metrics can be difficult to tackle if you’re starting from scratch. While implementing your change management practice, use these three metrics as a starting point, since they correlate well with the success of change management overall. The following few slides provide more insight into creating metrics for your change process.

    If you want more insight into your change process, measure the progress of each step in change management with metrics

    Improve

    • Number of repeat failures (i.e. making the same mistake twice)
    • Number of changes converted to pre-approved
    • Number of changes converted from pre-approved back to normal

    Request

    • What percentage of change requests have errors or lack appropriate support?
    • What percentage of change requests are actually projects, service requests, or operational tasks?
    • What percentage of changes have been requested before (i.e. documented)?

    Assess

    • What percentage of change requests are out of scope?
    • What percentage of changes have been requested before (i.e. documented)?
    • What are the percentages of changes by category (normal, pre-approved, emergency)?

    Plan

    • What percentage of change requests are reviewed by the CAB that should have been pre-approved or emergency (i.e. what percentage of changes are in the wrong category)?

    Approve

    • Number of changes broken down by department (business unit/IT department to be used in making core/optional CAB membership more efficient)
    • Number of workflows that can be automated

    Implement

    • Number of changes completed on schedule
    • Number of changes rolled back
    • What percentage of changes caused an incident?

    Use metrics to inform project KPIs and CSFs

    Leverage the metrics from the last slide and convert them to data communicable to IT, management, and leadership

    • To provide value, metrics and measurements must be actionable. What actions can be taken as a result of the data being presented?
    • If the metrics are not actionable, there is no value and you should question the use of the metric.
    • Data points in isolation are mostly meaningless to inform action. Observe trends in your metrics to inform your decisions.
    • Using a framework to develop measurements and metrics provides a defined methodology that enables a mapping of base measurements through CSFs.
    • Establishing the relationship increases the value that measurements provide.

    Purposely use SDLC and change lifecycle metrics to find bottlenecks and automation candidates.

    Metrics:

    Metrics are easily measured datapoints that can be pulled from your change management tool. Examples: Number of changes implemented, number of changes without incident.

    KPIs:

    Key Performance Indicators are metrics presented in a way that is easily digestible by stakeholders in IT. Examples: Change efficiency, quality of changes.

    CSFs:

    Critical Success Factors are measures of the business success of change management taken by correlating the CSF with multiple KPIs. Examples: consistent and efficient change management process, a change process mapped to business needs

    List in-scope metrics and reports and align them to benefits

    Metric/Report (by team)Benefit
    Total number of RFCs and percentages by category (pre-approved, normal, emergency, escalated support, expedited)
    • Understand change management activity
    • Tracking maturity growth
    • Identifying “hot spots”
    Pre-approved change list (and additions/removals from the list) Workload and process streamlining (i.e. reduce “red tape” wherever possible)
    Average time between RFC lifecycle stages (by service/application) Advance planning for proposed changes
    Number of changes by service/application/hardware class
    • Identifying weaknesses in the architecture
    • Vendor-specific TCO calculations
    Change triggers Business- vs. IT-initiated change
    Number of RFCs by lifecycle stage Workload planning
    List of incidents related to changes Visible failures of the CM process
    Percentage of RFCs with a tested backout/validation plan Completeness of change planning
    List of expedited changes Spotlighting poor planning and reducing the need for this category going forward (“The Hall of Shame”)
    CAB approval rate Change coordinator alignment with CAB priorities – low approval rate indicates need to tighten gatekeeping by the change coordinator
    Calendar of changes Planning

    4.1.2 Determine Metrics, Key Performance Indicators (KPIs), and Critical Success Factors (CSFs)

    Input

    • Current metrics

    Output

    • List of trackable metrics, KPIs and CSFs

    Materials

    Participants

    • Change Manager
    • Members of the Change Advisory Board
    • Service Desk Manager
    • Operations (optional)
    1. Draw three tables for metrics, KPIs, and CSFs.
    2. Starting with the CSF table, fill in all relevant CSFs that your group wishes to track and measure.
    3. Next, work to determine relevant KPIs correlated with the CSFs and metrics needed to measure the KPIs. Use the tables included below (taken from section 14 of the Change Management SOP) to guide the process.
    4. Record the results in the tables in section 14 of your Change Management SOP.
    5. Decide on where and when to review the metrics to discuss your change management strategy. Designate and owner and record in the RACI and Communications section of your Change Management SOP.
    Ref #Metric

    M1

    Number of changes implemented for a time period
    M2 Number of changes successfully implemented for a time period
    M3 Number of changes implemented causing incidents
    M4 Number of accepted known errors when change is implemented
    M5 Total days for a change build (specific to each change)
    M6 Number of changes rescheduled
    M7 Number of training questions received following a change
    Ref#KPIProduct
    K1 Successful changes for a period of time (approach 100%) M2 / M1 x 100%
    K2 Changes causing incidents (approach 0%) M3 / M1 x 100%
    K3 Average days to implement a change ΣM5 / M1
    K4 Change efficiency (approach 100%) [1 - (M6 / M1)] x 100%
    K5 Quality of changes being implemented (approach 100%) [1 - (M4 / M1)] x 100%
    K6 Change training efficiency (approach 100%) [1 - (M7 / M1)] x 100%
    Ref#CSFIndicator
    C1 Successful change management process producing quality changes K1, K5
    C2 Consistent efficient change process K4, K6
    C3 Change process maps to business needs K5, K6

    Measure changes in selected metrics to evaluate success

    Once you have implemented a standardized change management practice, your team’s goal should be to improve the process, year over year.

    • After a process change has been implemented, it’s important to regularly monitor and evaluate the CSFs, KPIs, and metrics you chose to evaluate. Examine whether the process change you implemented has actually resolved the issue or achieved the goal of the critical success factor.
    • Establish a schedule for regularly reviewing the key metrics. Assess changes in those metrics and determine progress toward reaching objectives.
    • In addition to reviewing CSFs, KPIs, and metrics, check in with the release management team and end users to measure their perceptions of the change management process once an appropriate amount of time has passed.
    • Ensure that metrics are telling the whole story and that reporting is honest in order to be informative.

    Outcomes of standardizing change management should include:

    1. Improved efficiency, effectiveness, and quality of changes.
    2. Changes and processes are more aligned with the business needs and strategy.
    3. Improved maturity of change processes.

    Info-Tech Best Practice

    Make sure you’re measuring the right things and considering all sources of information. It’s very easy to put yourself in a position where you’re congratulating yourselves for improving on a specific metric such as number of releases per month, but satisfaction remains low.

    4.1.3 Track and Record Metrics Using the Change Management Metrics Tool

    Input

    • Current metrics

    Output

    • List of trackable metrics, KPIs and CSFs to be observed over the length of a year

    Materials

    Participants

    • Change Manager
    • Members of the Change Advisory Board
    • Service Desk Manager
    • Operations (optional)

    Tracking the progress of metrics is paramount to the success of any change management process. Use Info-Tech’s Change Management Metrics Tool to record metrics and track your progress. This tool is intended to be a substitute for organizations who do not have the capability to track change-related metrics in their ITSM tool.

    1. Input metrics from the previous activity to track over the course of a year.
    2. To record your metrics, open the tool and go to tab 2. The tool is currently primed to record and track five metrics. If you need more than that, you can edit the list in the hidden calculations tab.
    3. To see the progress of your metrics, move to tab 3 to view a dashboard of all metrics in the tool.

    Download the Change Management Metrics Tool

    Case Study

    A federal credit union was able to track maturity growth through the proper use of metrics.

    Industry: Federal Credit Union (anonymous)

    Source: Info-Tech Workshop

    Challenge

    At this federal credit union, the VP of IT wanted a tight set of metrics to engage with the business, communicate within IT, enable performance management of staff, and provide visibility into workload demands, among other requirements.

    The organization was suffering from “metrics fatigue,” with multiple reports being generated from all groups within IT, to the point that weekly/monthly reports were being seen as spam.

    Solution

    Stakeholders were provided with an overview of change management benefits and were asked to identify one key attribute that would be useful to their specific needs.

    Metrics were designed around the stakeholder needs, piloted with each stakeholder group, fine-tuned, and rolled out.

    Some metrics could not be automated off-the-shelf and were rolled out in a manual fashion. These metrics were subsequently automated and finally made available through a dashboard.

    Results

    The business received clear guidance regarding estimated times to implement changes across different elements of the environment.

    The IT managers were able to plan team workloads with visibility into upstream change activity.

    Architects were able to identify vendors and systems that were the leading source of instability.

    The VP of IT was able to track the maturity growth of the change management process and proactively engage with the business on identified hot spots.

    Step 4.2

    Implement the Project

    Activities

    4.2.1 Use a Communications Plan to Gain End User Buy-In

    4.2.2 Create a Project Roadmap to Track Your Implementation Progress

    Measure, Manage, and Maintain

    Step 4.1: Identify Metrics and Build the Change Calendar

    Step 3.2: Implement the Project

    This step involves the following participants:

    • CIO/IT Director
    • IT Managers
    • Change Manager

    Outcomes of this step

    • A communications plan for key messages to communicate to relevant stakeholders and audiences
    • A roadmap with assigned action items to implement change management

    Success of the new process will depend on introducing change and gaining acceptance

    Change management provides value by promptly evaluating and delivering changes required by the business and by minimizing disruption and rework caused by failed changes. Communication of your new change management process is key. If people do not understand the what and why, it will fail to provide the desired value.

    Info-Tech Best Practice

    Gather feedback from end users about the new process: if the process is too bureaucratic, end users are more likely to circumvent it.

    Main Challenges with Communication

    • Many people fail before they even start because they are buried in a mess created before they arrived – either because of a failed attempt to get change management implemented or due to a complicated system that has always existed.
    • Many systems are maintained because “that’s the way it’s always been done.”
    • Organizations don’t know where to start; they think change management is too complex a process.
    • Each group needs to follow the same procedure – groups often have their own processes, but if they don’t agree with one another, this could cause an outage.

    Educate affected stakeholders to prepare for organizational change

    An organizational change management plan should be part of your change management project.

    • Educate stakeholders about:
      • The process change (describe it in a way that the user can understand and is clear and concise).
        • IT changes will be handled in a standardized and repeatable fashion to minimize change-related incidents.
      • Who is impacted?
        • All users.
      • How are they impacted?
        • All change requests will be made using a standard form and will not be deployed until formal approval is received.
      • Change messaging.
        • How to communicate the change (benefits).
      • Learning and development – training your users on the change.
        • Develop and deliver training session on the Change Management SOP to familiarize users with this new method of handling IT change.

    Host a lunch-and-learn session

    • For the initial deployment, host a lunch-and-learn session to educate the business on the change management practice. Relevant stakeholders of affected departments should host it and cover the following topics:
    • What is change management (change management/change control)?
    • The value of change management.
    • What the Change Management SOP looks like.
    • Who is involved in the change management process (the CAB, etc.)?
    • What constitutes a pre-approved change and an emergency change?
    • An overview of the process, including how to avoid unauthorized changes.
    • Who should they contact in case of questions?

    Communicate the new process to all affected stakeholders

    Do not surprise users or support staff with changes. This will result in lost productivity and low satisfaction with IT services.

    • User groups and the business need to be given sufficient notice of an impending change.
    • This will allow them to make appropriate plans to accept the change, minimizing the impact of the change on productivity.
    • A communications plan will be documented in the RFC while the release is being built and tested.
    • It’s the responsibility of the change team to execute on the communications plan.

    Info-Tech Insight

    The success of change communication can be measured by monitoring the number of service desk tickets related to a change that was not communicated to users.

    Communication is crucial to the integration and overall implementation of your change management initiative. An effective communications plan will:

    • Gain support from management at the project proposal phase.
    • Create end-user buy-in once the program is set to launch.
    • Maintain the presence of the program throughout the business.
    • Instill ownership throughout the business from top-level management to new hires.

    Create your communications plan to anticipate challenges, remove obstacles, and ensure buy-in

    Management

    Technicians

    Business Stakeholders

    Provide separate communications to key stakeholder groups

    Why? What problems are you trying to solve?

    What? What processes will it affect (that will affect me)?

    Who? Who will be affected? Who do I go to if I have issues with the new process?

    When? When will this be happening? When will it affect me?

    How? How will these changes manifest themselves?

    Goal? What is the final goal? How will it benefit me?

    Info-Tech Insight

    Pay close attention to the medium of communication. For example, stakeholders on their feet all day would not be as receptive to an email communication compared to those who primarily work in front of a computer. Put yourself into various stakeholders’ shoes to craft a tailored communication of change management.

    4.2.1 Use a Communications Plan to Gain End User Buy-In

    Input

    • List of stakeholder groups for change management

    Output

    • Tailored communications plans for various stakeholder groups

    Materials

    Participants

    • Change Manager
    • Members of the Change Advisory Board
    • Service Desk Manager
    • Operations (optional)
    1. Using Info-Tech’s Change Management Communications Plan, identify key audiences or stakeholder groups that will be affected by the new change management practice.
    2. For each group requiring a communications plan, identify the following:
      • The benefits for that group of individuals.
      • The impact the change will have on them.
      • The best communication method(s) for them.
      • The time frame of the communication.
    3. Complete this information in a table like the one below:
    GroupBenefitsImpactMethodTimeline
    IT Standardized change process All changes must be reviewed and approved Poster campaign 6 months
    End Users Decreased wait time for changes Formal process for RFCs Lunch-and-learn sessions 3 months
    Business Reduced outages Increased involvement in planning and approvals Monthly reports 1 year
    1. Discuss the communications plan:
      • Will this plan ensure that users are given adequate opportunities to accept the changes being deployed?
      • Is the message appropriate for each audience? Is the format appropriate for each audience?
      • Does the communication include training where necessary to help users adopt any new functions/workflows being introduced?

    Download the Change Management Communications Plan

    Present your SOP to key stakeholders and obtain their approval

    Now that you have completed your Change Management SOP, the final step is to get sign-off from senior management to begin the rollout process.

    Know your audience:

    • Determine the service management stakeholders who will be included in the audience for your presentation.
    • You want your presentation to be succinct and hard hitting. Management’s time is tight and they will lose interest if you drag out the delivery.
    • Briefly speak about the need for more formal change management and emphasize the benefits of implementing a more formal process with a SOP.
    • Present your current state assessment results to provide context before presenting the SOP itself.
    • As with any other foundational activity, be prepared with some quick wins to gain executive attention.
    • Be prepared to review with both technical and less technical stakeholders.

    Info-Tech Insight

    The support of senior executive stakeholders is critical to the success of your SOP rollout. Try to wow them with project benefits and make sure they know about the risks/pain points.

    Download the Change Management Project Summary Template

    4.2.2 Create a Project Roadmap to Track Your Implementation Progress

    Input

    • List of implementation tasks

    Output

    • Roadmap and timeline for change management implementation

    Materials

    Participants

    • Change Manager
    • Members of the Change Advisory Board
    • Service Desk Manager
    • Operations (optional)
    1. Info-Tech’s Change Management Roadmap Tool helps you identify and prioritize tasks that need to be completed for the change management implementation project.
    2. Use this tool to identify each action item that will need to be completed as part of the change management initiative. Chart each action item, assign an owner, define the duration, and set a completion date.
    3. Use the resulting rocket diagram as a guide to task completion as you work toward your future state.

    Download the Change Management Roadmap Tool

    Case Study (part 4 of 4)

    Intel implemented a robust change management process.

    Industry: Technology

    Source: Daniel Grove, Intel

    Challenge

    Founded in 1968, the world’s largest microchip and semiconductor company employs over 100,000 people. Intel manufactures processors for major players in the PC market including Apple, Lenovo, HP, and Dell.

    Intel IT supports over 65,000 servers, 3.2 petabytes of data, over 70,000 PCs, and 2.6 million emails per day.

    Intel’s change management program is responsible for over 4,000 changes each week.

    Solution

    Intel had its new change management program in place and the early milestones planned, but one key challenge with any new project is communication.

    The company also needed to navigate the simplification of a previously complex process; end users could be familiar with any of the 37 different change processes or 25 different change management systems of record.

    Top-level buy-in was another concern.

    Results

    Intel first communicated the process changes by publishing the vision and strategy for the project with top management sponsorship.

    The CIO published all of the new change policies, which were supported by the Change Governance Council.

    Intel cited the reason for success as the designation of a Policy and Guidance Council – a group designed to own communication and enforcement of the new policies and processes put in place.

    Summary of Accomplishment

    Problem Solved

    You now have an outline of your new change management process. The hard work starts now for an effective implementation. Make use of the communications plan to socialize the new process with stakeholders and the roadmap to stay on track.

    Remember as you are starting your implementation to keep your documents flexible and treat them as “living documents.” You will likely need to tweak and refine the processware and templates several times to continually improve the process. Furthermore, don’t shy away from seeking feedback from your stakeholders to gain buy-in.

    Lastly, keep an eye on your progress with objective, data-driven metrics. Leverage the trends in your data to drive your decisions. Be sure to revisit the maturity assessment not only to measure and visualize your progress, but to gain insight into your next steps.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic office in Toronto, Ontario, Canada to participate in an innovative onsite workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.2 Complete a Change Management Maturity Assessment

    Run through the change management maturity assessment with tailored commentary for each action item outlining context and best practices.

    2.2.1 Plot the Process for a Normal Change

    Build a normal change process using Info-Tech’s Change Management Process Library template with an analyst helping you to right size the process for your organization.

    Related Info-Tech Research

    Standardize the Service Desk

    Improve customer service by driving consistency in your support approach and meeting SLAs.

    Stabilize Release and Deployment Management

    Maintain both speed and control while improving the quality of deployments and releases within the infrastructure team.

    Incident and Problem Management

    Don’t let persistent problems govern your department.

    Select Bibliography

    AXELOS Limited. ITIL Foundation: ITIL 4th edition. TSO, 2019, pp. 118–120.

    Behr, Kevin and George Spafford. The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps. IT Revolution Press. 2013.

    BMC. “ITIL Change Management.” BMC Software Canada, 22 December 2016.

    Brown, Vance. “Change Management: The Greatest ROI of ITIL.” Cherwell Service Management.

    Cisco. “Change Management: Best Practices.” Cisco, 10 March 2008.

    Grove, Daniel. “Case Study ITIL Change Management Intel Corporation.” PowerShow, 2005.

    ISACA. “COBIT 5: Enabling Processes.” ISACA, 2012.

    Jantti, M. and M. Kainulainen. “Exploring an IT Service Change Management Process: A Case Study.” ICDS 2011: The Fifth International Conference on Digital Society, 23 Feb. 2011.

    Murphy, Vawns. “How to Assess Changes.” The ITSM Review, 29 Jan. 2016.

    Nyo, Isabel. “Best Practices for Change Management in the Age of DevOps.” Atlassian Engineering, 12 May 2021.

    Phillips, Katherine W., Katie A. Liljenquist, and Margaret A. Neale. “Better Decisions Through Diversity.” Kellogg Insight, 1 Oct. 2010.

    Pink Elephant. “Best Practices for Change Management.” Pink Elephant, 2005.

    Sharwood, Simon. “Google broke its own cloud by doing two updates at once.” The Register, 24 Aug. 2016.

    SolarWinds. “How to Eliminate the No: 1 Cause of Network Downtime.” SolarWinds Tech Tips, 25 Apr. 2014.

    The Stationery Office. “ITIL Service Transition: 2011.” The Stationary Office, 29 July 2011.

    UCISA. “ITIL – A Guide to Change Management.” UCISA.

    Zander, Jason. “Final Root Cause Analysis and Improvement Areas: Nov 18 Azure Storage Service Interruption.” Microsoft Azure: Blog and Updates, 17 Dec. 2014.

    Appendix I: Expedited Changes

    Employ the expedited change to promote process adherence

    In many organizations, there are changes which may not fit into the three prescribed categories. The reason behind why the expedited category may be needed generally falls between two possibilities:

    1. External drivers dictate changes via mandates which may not fall within the normal change cycle. A CIO, judge, state/provincial mandate, or request from shared services pushes a change that does not fall within a normal change cycle. However, there is no imminent outage (therefore it is not an emergency). In this case, an expedited change can proceed. Communicate to the change requester that IT and the change build team will still do their best to implement the change without issue, but any extra risk of implementing this expedited change (compared to an normal change) will be absorbed by the change requester.
    2. The change requester did not prepare for the change adequately. This is common if a new change process is being established (and stakeholders are still adapting to the process). Change requesters or the change build team may request the change to be done by a certain date that does not fall within the normal change cycle, or they simply did not give the CAB enough time to vet the change. In this case, you may use the expedited category as a metric (or a “Hall of Shame” example). If you identify a department or individual that frequently request expedited changes, use the expedited category as a means to educate them about the normal change to discourage the behavior moving forward.

    Two possible ways to build an expedited change category”

    1. Build the category similar to an emergency change. In this case, one difference would be the time allotted to fully obtain authorization of the change from the E-CAB and business owner before implementing the change (as opposed to the emergency change workflow).
    2. Have the expedited change reflect the normal change workflow. In this case, all the same steps of the normal change workflow are followed except for expedited timelines between processes. This may include holding an impromptu CAB meeting to authorize the change.

    Example process: Expedited Change Process

    The image is a flowchart, showing the process for Expedited Change.

    For the full process, refer to the Change Management Process Library.

    Appendix II: Optimize IT Change Management in a DevOps Environment

    Change Management cannot be ignored because you are DevOps or Agile

    But it can be right-sized.

    The core tenets of change management still apply no matter the type of development environment an organization has. Changes in any environment carry risk of degrading functionality, and must therefore be vetted. However, the amount of work and rigor put into different stages of the change life cycle can be altered depending on the maturity of the development workflows. The following are several stage gates for change management that MUST be considered if you are a DevOps or Agile shop:

    • Intake assessment (separation of changes from projects, service requests, operational tasks)
      • Within a DevOps or Agile environment, many of the application changes will come directly from the SDLC and projects going live. It does not mean a change must go through CAB, but leveraging the pre-approved category allows for an organization to stick to development lifecycles without being heavily bogged down by change bureaucracy.
    • Technical review
      • Leveraging automation, release contingencies, and the current SDLC documentation to decrease change risk allows for various changes to be designated as pre-approved.
    • Authorization
      • Define the authorization and dependencies of a change early in the lifecycle to gain authorization and necessary signoffs.
    • Documentation/communication
      • Documentation and communication are post-implementation activities that cannot be ignored. If documentation is required throughout the SDLC, then design the RFC to point to the correct documentation instead of duplicating information.

    "Understand that process is hard and finding a solution that fits every need can be tricky. With this change management process we do not try to solve every corner case so much as create a framework by which best judgement can be used to ensure maximum availability of our platforms and services while still complying with our regulatory requirements and making positive changes that will delight our customers.“ -IT Director, Information Cybersecurity Organization

    Five principals for implementing change in DevOps

    Follow these best practices to make sure your requirements are solid:

    People

    The core differences between an Agile or DevOps transition and a traditional approach are the restructuring and the team behind it. As a result, the stakeholders of change management must be onboard for the process to work. This is the most difficult problem to solve if it’s an issue, but open avenues of feedback for a process build is a start.

    DevOps Lifecycles

    • Plan the dev lifecycle so people can’t skirt it. Ensure the process has automated checks so that it’s more work to skirt the system than it is to follow it. Make the right process the process of least resistance.
    • Plan changes from the start to ensure that cross-dependencies are identified early and that the proposed implementation date is deconflicted and visible to other change requesters and change stakeholders.

    Automation

    Automation comes in many forms and is well documented in many development workflows. Having automated signoffs for QA/security checks and stakeholders/cross dependency owner sign offs may not fully replace the CAB but can ease the burden on discussions before implementation.

    Contingencies

    Canary releases, phased releases, dark releases, and toggles are all options you can employ to reduce risk during a release. Furthermore, building in contingencies to the test/rollback plan decreases the risk of the change by decreasing the factor of likelihood.

    Continually Improve

    Building change from the ground up doesn’t meant the process has to be fully fledged before launch. Iterative improvements are possible before achieving an optimal state. Having the proper metrics on the pain points and bottlenecks in the process can identify areas for automation and improvement.

    Increasing the proportion of pre-approved changes

    Leverage the traditional change infrastructure to deploy changes quickly while keeping your risk low.

    • To designate a change as a pre-approved change it must have a low risk rating (based on impact and likelihood). Fortunately, many of the changes within the Agile framework are designed to be small and lower risk (at least within application development). Putting in the work ahead of time to document these changes, template RFCs, and document the dependencies for various changes allows for a shift in the proportion of pre-approved changes.
    • The designation of pre-approved changes is an ongoing process. This is not an overnight initiative. Measure the proportion of changes by category as a metric, setting goals and interim goals to shift the change proportion to a desired ratio.

    The image is a bar graph, with each bar having 3 colour-coded sections: Emergency, Normal, and Pre-Approved. The first bar is before, where the largest change category is Normal. The second bar is after, and the largest change category is Pre-Approved.

    Turn your CAB into a virtual one

    • The CAB does not have to fully disappear in a DevOps environment. If the SDLC is built in a way that authorizes changes through peer reviews and automated checks, by the time it’s deployed, the job of the CAB should have already been completed. Then the authorization stage-gate (traditionally, the CAB) shifts to earlier in the process, reducing the need for an actual CAB meeting. However, the change must still be communicated and documented, even if it’s a pre-approved change.
    • As the proportion of changes shifts from a high degree of normal changes to a high degree of pre-approved changes, the need for CAB meetings should decrease even further. As an end-state, you may reserve actual CAB meetings for high-profile changes (as defined by risk).
    • Lastly, change management does not disappear as a process. Periodic reviews of change management metrics and the pre-approved change list must still be completed.

    Define Your Cloud Vision

    • Buy Link or Shortcode: {j2store}448|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $182,333 Average $ Saved
    • member rating average days saved: 28 Average Days Saved
    • Parent Category Name: Cloud Strategy
    • Parent Category Link: /cloud-strategy

    The cloud permeates the enterprise technology discussion. It can be difficult to separate the hype from the value. Should everything go to the cloud, or is that sentiment stoked by vendors looking to boost their bottom lines? Not everything should go to the cloud, but coming up with a systematic way to determine what belongs where is increasingly difficult as offerings get more complex.

    Our Advice

    Critical Insight

    Don’t think about the cloud as an inevitable next step for all workloads. The cloud is merely another tool in the toolbox, ready to be used when appropriate and put away when it’s not needed. Cloud-first isn’t always the way to go.

    Impact and Result

    • Evaluate workloads’ suitability for the cloud using Info-Tech’s methodology to select the optimal migration (or non-migration) path based on the value of cloud characteristics.
    • Codify risks tied to workloads’ cloud suitability and plan mitigations.
    • Build a roadmap of initiatives for actions by workload and risk mitigation.
    • Define a cloud vision to share with stakeholders.

    Define Your Cloud Vision Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define Your Cloud Vision – A step-by-step guide to generating, validating, and formalizing your cloud vision.

    The cloud vision storyboard walks readers through the process of generating, validating and formalizing a cloud vision, providing a framework and tools to assess workloads for their cloud suitability and risk.

    • Define Your Cloud Vision – Phases 1-4

    2. Cloud Vision Executive Presentation – A document that captures the results of the exercises, articulating use cases for cloud/non-cloud, risks, challenges, and high-level initiative items.

    The executive summary captures the results of the vision exercise, including decision criteria for moving to the cloud, risks, roadblocks, and mitigations.

    • Cloud Vision Executive Presentation

    3. Cloud Vision Workbook – A tool that facilitates the assessment of workloads for appropriate service model, delivery model, support model, and risks and roadblocks.

    The cloud vision workbook comprises several assessments that will help you understand what service model, delivery model, support model, and risks and roadblocks you can expect to encounter at the workload level.

    • Cloud Vision Workbook
    [infographic]

    Workshop: Define Your Cloud Vision

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand the Cloud

    The Purpose

    Align organizational goals to cloud characteristics.

    Key Benefits Achieved

    An understanding of how the characteristics particular to cloud can support organizational goals.

    Activities

    1.1 Generate corporate goals and cloud drivers.

    1.2 Identify success indicators.

    1.3 Explore cloud characteristics.

    1.4 Explore cloud service and delivery models.

    1.5 Define cloud support models and strategy components.

    1.6 Create state summaries for the different service and delivery models.

    1.7 Select workloads for further analysis.

    Outputs

    Corporate cloud goals and drivers

    Success indicators

    Current state summaries

    List of workloads for further analysis

    2 Assess Workloads

    The Purpose

    Evaluate workloads for cloud value and action plan.

    Key Benefits Achieved

    Action plan for each workload.

    Activities

    2.1 Conduct workload assessment using the Cloud Strategy Workbook tool.

    2.2 Discuss assessments and make preliminary determinations about the workloads.

    Outputs

    Completed workload assessments

    Workload summary statements

    3 Identify and Mitigate Risks

    The Purpose

    Identify and plan to mitigate potential risks in the cloud project.

    Key Benefits Achieved

    A list of potential risks and plans to mitigate them.

    Activities

    3.1 Generate a list of risks and potential roadblocks associated with the cloud.

    3.2 Sort risks and roadblocks and define categories.

    3.3 Identify mitigations for each identified risk and roadblock

    3.4 Generate initiatives from the mitigations.

    Outputs

    List of risks and roadblocks, categorized

    List of mitigations

    List of initiatives

    4 Bridge the Gap and Create the Strategy

    The Purpose

    Clarify your vision of how the organization can best make use of cloud and build a project roadmap.

    Key Benefits Achieved

    A clear vision and a concrete action plan to move forward with the project.

    Activities

    4.1 Review and assign work items.

    4.2 Finalize the decision framework for each of the following areas: service model, delivery model, and support model.

    4.3 Create a cloud vision statement

    Outputs

    Cloud roadmap

    Finalized task list

    Formal cloud decision rubric

    Cloud vision statement

    5 Next Steps and Wrap-Up

    The Purpose

    Complete your cloud vision by building a compelling executive-facing presentation.

    Key Benefits Achieved

    Simple, straightforward communication of your cloud vision to key stakeholders.

    Activities

    5.1 Build the Cloud Vision Executive Presentation

    Outputs

    Completed cloud strategy executive presentation

    Completed Cloud Vision Workbook.

    Further reading

    Define Your Cloud Vision

    Define your cloud vision before it defines you

    Analyst perspective

    Use the cloud’s strengths. Mitigate its weaknesses.

    The cloud isn’t magic. It’s not necessarily cheaper, better, or even available for the thing you want it to do. It’s not mysterious or a cure-all, and it does take a bit of effort to systematize your approach and make consistent, defensible decisions about your cloud services. That’s where this blueprint comes in.

    Your cloud vision is the culmination of this effort all boiled down into a single statement: “This is how we want to use the cloud.” That simple statement should, of course, be representative of – and built from – a broader, contextual strategy discussion that answers the following questions: What should go to the cloud? What kind of cloud makes sense? Should the cloud deployment be public, private, or hybrid? What does a migration look like? What risks and roadblocks need to be considered when exploring your cloud migration options? What are the “day 2” activities that you will need to undertake after you’ve gotten the ball rolling?

    Taken as a whole, answering these questions is difficult task. But with the framework provided here, it’s as easy as – well, let’s just say it’s easier.

    Jeremy Roberts

    Research Director, Infrastructure and Operations

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • You are both extrinsically motivated to move to the cloud (e.g. by vendors) and intrinsically motivated by internal digital transformation initiatives.
    • You need to define the cloud’s true value proposition for your organization without assuming it is an outsourcing opportunity or will save you money.
    • Your industry, once cloud-averse, is now normalizing the use of cloud services, but you have not established a basic cloud vision from which to develop a strategy at a later point.

    Common Obstacles

    • Organizations jump to the cloud before defining their cloud vision and without any clear plan for realizing the cloud’s benefits.
    • Many organizations have a foot in the cloud already, but these decisions have been made in an ad hoc rather than systematic fashion.
    • You lack a consistent framework to assess your workloads’ suitability for the cloud.

    Info-Tech's Approach

    • Evaluate workloads’ suitability for the cloud using Info-Tech’s methodology to select the optimal migration (or non-migration) path based on the value of cloud characteristics.
    • Codify risks tied to workloads’ cloud suitability and plan mitigations.
    • Build a roadmap of initiatives for actions by workload and risk mitigation.
    • Define a cloud vision to share with stakeholders.

    Info-Tech Insight: 1) Base migration decisions on cloud characteristics. If your justification for the migration is simply getting your workload out of the data center, think again. 2) Address the risks up front in your migration plan. 3) The cloud changes roles and calls for different skill sets, but Ops is here to stay.

    Your challenge

    This research is designed to help organizations who need to:

    • Identify workloads that are good candidates for the cloud.
    • Develop a consistent, cost-effective approach to cloud services.
    • Outline and mitigate risks.
    • Define your organization’s cloud archetype.
    • Map initiatives on a roadmap.
    • Communicate your cloud vision to stakeholders so they can understand the reasons behind a cloud decision and differentiate between different cloud service and deployment models.
    • Understand the risks, roadblocks, and limitations of the cloud.

    “We’re moving from a world where companies like Oracle and Microsoft and HP and Dell were all critically important to a world where Microsoft is still important, but Amazon is now really important, and Google also matters. The technology has changed, but most of the major vendors they’re betting their business on have also changed. And that’s super hard for people..” –David Chappell, Author and Speaker

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • Organizations jump to the cloud before defining their cloud vision and without any clear plan for realizing the cloud’s benefits.
    • Many organizations already have a foot in the cloud, but the choice to explore these solutions was made in an ad hoc rather than systematic fashion. The cloud just sort of happened.
    • The lack of a consistent assessment framework means that some workloads that probably belong in the cloud are kept on premises or with hosted services providers – and vice versa.
    • Securing cloud expertise is remarkably difficult – especially in a labor market roiled by the global pandemic and the increasing importance of cloud services.

    Standard cloud challenges

    30% of all cloud spend is self-reported as waste. Many workloads that end up in the cloud don’t belong there. Many workloads that do belong in the cloud aren’t properly migrated. (Flexera, 2021)

    44% of respondents report themselves as under-skilled in the cloud management space. (Pluralsight, 2021)

    Info-Tech’s approach

    Goals and drivers

    • Service model
      • What type of cloud makes the most sense for workload archetypes? When does it make sense to pick SaaS over IaaS, for example?
    • Delivery model
      • Will services be delivered over the public cloud, a private cloud, or a hybrid cloud? What challenges accompany this decision?
    • Migration Path
      • What does the migration path look like? What does the transition to the cloud look like, and how much effort will be required? Amazon’s 6Rs framework captures migration options: rehosting, repurchasing, replatforming, and refactoring, along with retaining and retiring. Each workload should be assessed for its suitability for one or more of these paths.
    • Support model
      • How will services be provided? Will staff be trained, new staff hired, a service provider retained for ongoing operations, or will a consultant with cloud expertise be brought on board for a defined period? The appropriate support model is highly dependent on goals along with expected outcomes for different workloads.

    Highlight risks and roadblocks

    Formalize cloud vision

    Document your cloud strategy

    The Info-Tech difference:

    1. Determine the hypothesized value of cloud for your organization.
    2. Evaluate workloads with 6Rs framework.
    3. Identify and mitigate risks.
    4. Identify cloud archetype.
    5. Plot initiatives on a roadmap.
    6. Write action plan statement and goal statement.

    What is the cloud, how is it deployed, and how is service provided?

    Cloud Characteristics

    1. On-demand self-service: the ability to access reosurces instantly without vendor interaction
    2. Broad network access: all services delivered over the network
    3. Resource pooling: multi-tenant environment (shared)
    4. Rapid elasticity: the ability to expand and retract capabilities as needed
    5. Measured service: transparent metering

    Service Model:

    1. Software-as-a-Service: all but the most minor configuration is done by the vendor
    2. Platform-as-a-Service: customer builds the application using tools provided by the provider
    3. Infrastructure-as-a-Service: the customer manages OS, storage, and the application

    Delivery Model

    1. Public cloud: accessible to anyone over the internet; multi-tenant environment
    2. Private cloud: provisioned for a single organization with multiple units
    3. Hybrid cloud: two or more connected clouds; data is portage across them
    4. Community cloud: provisioned for a specific group of organizations

    (National Institute of Standards and Technology)

    A workload-first approach will allow you to take full advantage of the cloud’s strengths

    • Under all but the most exceptional circumstances, good cloud strategies will incorporate different service models. Very few organizations are “IaaS shops” or “SaaS shops,” even if they lean heavily in one direction.
    • These different service models (including non-cloud options like colocation and on-premises infrastructure) each have different strengths. Part of your cloud strategy should involve determining which of the services makes the most sense for you.
    • Own the cloud by understanding which cloud (or non-cloud!) offering makes the most sense for you given your unique context.

    Migration paths

    In a 2016 blog post, Amazon introduced a framework for understanding cloud migration strategies. The framework presented here is slightly modified – including a “relocate” component rather than a “retire” component – but otherwise hews close to the standard.

    These migration paths reflect organizational capabilities and desired outcomes in terms of service models – cloud or otherwise. Retention means keeping the workload where it is, in a datacenter or a colocation service, or relocating to a colocation or hosted software environment. These represent the “non-cloud” migration paths.

    In the graphic on the right, the paths within the red box lead to the cloud. Rehosting means lifting and shifting to an infrastructure environment. Migrating a virtual machine from your VMware environment on premises to Azure Virtual machines is a quick way to realize some benefits from the cloud. Migrating from SQL Server on premises to a cloud-based SQL solution looks a bit more like changing platforms (replatforming). It involves basic infrastructure modification without a substantial architectural component.

    Refactoring is the most expensive of the options and involves engaging the software development lifecycle to build a custom solution, fundamentally rewriting the solution to be cloud native and take advantage of cloud-native architectures. This can result in a PaaS or an IaaS solution.

    Finally, repurchasing means simply going to market and procuring a new solution. This may involve migrating data, but it does not require the migration of components.

    Migration Paths

    Retain (Revisit)

    • Keep the application in its current form, at least for now. This doesn’t preclude revisiting it in the future.

    Relocate

    • Move the workload between datacenters or to a hosted software/colocation provider.

    Rehost

    • Move the application to the cloud (IaaS) and continue to run it in more or less the same form as it currently runs.

    Replatform

    • Move the application to the cloud and perform a few changes for cloud optimizations.

    Refactor

    • Rewrite the application, taking advantage of cloud-native architectures.

    Repurchase

    • Replace with an alternative, cloud-native application and migrate the data.

    Support model

    Support models by characteristic

    Duration of engagement Specialization Flexibility
    Internal IT Indefinite Varies based on nature of business Fixed, permanent staff
    Managed Service Provider Contractually defined General, some specialization Standard offering
    Consultant Project-based Specific, domain-based Entirely negotiable

    IT services, including cloud services, can be delivered and managed in multiple ways depending on the nature of the workload and the organization’s intended path forward. Three high-level options are presented here and may be more or less valuable based on the duration of the expected engagement with the service (temporary or permanent), the skills specialization required, and the flexibility necessary to complete the job.

    By way of example, a highly technical, short-term project with significant flexibility requirements might be a good fit for an expensive consultant, whereas post-implementation maintenance of a cloud email system requires relatively little specialization and flexibility and would therefore be a better fit for internal management.

    There is no universally applicable rule here, but there are some workloads that are generally a good fit for the cloud and others that are not as effective, with that fit being conditional on the appropriate support model being employed.

    Risks, roadblocks, and strategy components

    No two cloud strategies are exactly alike, but all should address 14 key areas. A key step in defining your cloud vision is an assessment of these strategy components. Lower maturity does not preclude an aggressive cloud strategy, but it does indicate that higher effort will be required to make the transition.

    Component Description Component Description
    Monitoring What will system owners/administrators need visibility into? How will they achieve this? Vendor Management What practices must change to ensure effective management of cloud vendors?
    Provisioning Who will be responsible for deploying cloud workloads? What governance will this process be subject to? Finance Management How will costs be managed with the transition away from capital expenditure?
    Migration How will cloud migrations be conducted? What best practices/standards must be employed? Security What steps must be taken to ensure that cloud services meet security requirements?
    Operations management What is the process for managing operations as they change in the cloud? Data Controls How will data residency, compliance, and protection requirements be met in the cloud?
    Architecture What general principles must apply in the cloud environment? Skills and roles What skills become necessary in the cloud? What steps must be taken to acquire those skills?
    Integration and interoperability How will services be integrated? What standards must apply? Culture and adoption Is there a cultural aversion to the cloud? What steps must be taken to ensure broad cloud acceptance?
    Portfolio Management Who will be responsible for managing the growth of the cloud portfolio? Governing bodies What formal governance must be put in place? Who will be responsible for setting standards?

    Cloud archetypes – a cloud vision component

    Once you understand the value of the cloud, your workloads’ general suitability for cloud, and your proposed risks and mitigations, the next step is to define your cloud archetype.

    Your organization’s cloud archetype is the strategic posture that IT adopts to best support the organization’s goals. Info-Tech’s model recognizes seven archetypes, divided into three high-level archetypes.

    After consultation with your stakeholders, and based on the results of the suitability and risk assessment activities, define your archetype. The archetype feeds into the overall cloud vision and provides simple insight into the cloud future state for all stakeholders.

    The cloud vision itself is captured in a “vision statement,” a short summary of the overall approach that includes the overall cloud archetype.

    We can best support the organization's goals by:

    More Cloud

    Less Cloud

    Cloud Focused Cloud-Centric Providing all workloads through cloud delivery.
    Cloud-First Using the cloud as our default deployment model. For each workload, we should ask “why NOT cloud?”
    Cloud Opportunistic Hybrid Enabling the ability to transition seamlessly between on-premises and cloud resources for many workloads.
    Integrated Combining cloud and traditional infrastructure resources, integrating data and applications through APIs or middleware.
    Split Using the cloud for some workloads and traditional infrastructure resources for others.
    Cloud Averse Cloud-Light Using traditional infrastructure resources and limiting our use of the cloud to when it is absolutely necessary.
    Anti-Cloud Using traditional infrastructure resources and avoiding use of the cloud wherever possible.

    Info-Tech’s methodology for defining your cloud vision

    1. Understand the Cloud 2. Assess Workloads 3. Identify and Mitigate Risks 4. Bridge the Gap and Create the Vision
    Phase Steps
    1. Generate goals and drivers
    2. Explore cloud characteristics
    3. Create a current state summary
    4. Select workloads for analysis
    1. Conduct workload assessments
    2. Determine workload future state
    1. Generate risks and roadblocks
    2. Mitigate risks and roadblocks
    3. Define roadmap initiatives
    1. Review and assign work items
    2. Finalize cloud decision framework
    3. Create cloud vision
    Phase Outcomes
    1. List of goals and drivers
    2. Shared understanding of cloud terms
    3. Current state of cloud in the organization
    4. List of workloads to be assessed
    1. Completed workload assessments
    2. Defined workload future state
    1. List of risks and roadblocks
    2. List of mitigations
    3. Defined roadmap initiatives
    1. Cloud roadmap
    2. Cloud decision framework
    3. Completed Cloud Vision Executive Presentation

    Insight summary

    The cloud may not be right for you – and that’s okay!

    Don’t think about the cloud as an inevitable next step for all workloads. The cloud is merely another tool in the toolbox, ready to be used when appropriate and put away when it’s not needed. Cloud first isn’t always the way to go.

    Not all clouds are equal

    It’s not “should I go to the cloud?” but “what service and delivery models make sense based on my needs and risk tolerance?” Thinking about the cloud as a binary can force workloads into the cloud that don’t belong (and vice versa).

    Bottom-up is best

    A workload assessment is the only way to truly understand the cloud’s value. Work from the bottom up, not the top down, understand what characteristics make a workload cloud suitable, and strategize on that basis.

    Your accountability doesn’t change

    You are still accountable for maintaining available, secure, functional applications and services. Cloud providers share some responsibility, but the buck stops where it always has: with you.

    Don’t customize for the sake of customization

    SaaS providers make money selling the same thing to everyone. When migrating a workload to SaaS, work with stakeholders to pursue standardization around a selected platform and avoid customization where possible.

    Best of both worlds, worst of both worlds

    Hybrid clouds are in fashion, but true hybridity comes with additional cost, administration, and other constraints. A convoy moves at the speed of its slowest member.

    The journey matters as much as the destination

    How you get there is as important as what “there” actually is. Any strategy that focuses solely on the destination misses out on a key part of the value conversation: the migration strategy.

    Blueprint benefits

    Cloud Vision Executive Presentation

    This presentation captures the results of the exercises and presents a complete vision to stakeholders including a desired target state, a rubric for decision making, the results of the workload assessments, and an overall risk profile.

    Cloud Vision Workbook

    This workbook includes the standard cloud workload assessment questionnaire along with the results of the assessment. It also includes the milestone timeline for the implementation of the cloud vision.

    Blueprint benefits

    IT Benefits

    • A consistent approach to the cloud takes the guesswork out of deployment decisions and makes it easier for IT to move on to the execution stage.
    • When properly incorporated, cloud services come with many benefits, including automation, elasticity, and alternative architectures (micro-services, containers). The cloud vision project will help IT readers articulate expected benefits and work towards achieving them.
    • A clear framework for incorporating organizational goals into cloud plans.

    Business benefits

    • Simple, well-governed access to high-quality IT resources.
    • Access to the latest and greatest in technology to facilitate remote work.
    • Framework for cost management in the cloud that incorporates OpEx and chargebacks/showbacks. A clear understanding of expected changes to cost modeling is also a benefit of a cloud vision.
    • Clarity for stakeholders about IT’s response (and contribution to) IT strategic initiatives.

    Measure the value of this blueprint

    Don’t take our word for it:

    • The cloud vision material in various forms has been offered for several years, and members have generally benefited substantially, both from cloud vision workshops and from guided implementations led by analysts.
    • After each engagement, we send a survey that asks members how they benefited from the experience. Of 30 responses, the cloud vision research has received an average score of 9.8/10. Real members have found significant value in the process.
    • Additionally, members reported saving between 2 and 120 days (for an average of 17), and financial savings ranged from $1,920 all the way up to $1.27 million, for an average of $170,577.90! If we drop outliers on both ends, the average reported value of a cloud vision engagement is $37, 613.
    • Measure the value by calculating the time saved from using Info-Tech’s framework vs. a home-brewed cloud strategy alternative and by comparing the overall cost of a guided implementation or workshop with the equivalent offering from another firm. We’re confident you’ll come out ahead.

    9.8/10 Average reported satisfaction

    17 Days Average reported time savings

    $37, 613 Average cost savings (adj.)

    Executive Brief Case Study

    Industry: Financial

    Source: Info-Tech workshop

    Anonymous financial institution

    A small East Coast financial institution was required to develop a cloud strategy. This strategy had to meet several important requirements, including alignment with strategic priorities and best practices, along with regulatory compliance, including with the Office of the Comptroller of the Currency.

    The bank already had a significant cloud footprint and was looking to organize and formalize the strategy going forward.

    Leadership needed a comprehensive strategy that touched on key areas including the delivery model, service models, individual workload assessments, cost management, risk management and governance. The output had to be consumable by a variety of audiences with varying levels of technical expertise and had to speak to IT’s role in the broader strategic goals articulated earlier in the year.

    Results

    The bank engaged Info-Tech for a cloud vision workshop and worked through four days of exercises with various IT team members. The bank ultimately decided on a multi-cloud strategy that prioritized SaaS while also allowing for PaaS and IaaS solutions, along with some non-cloud hosted solutions, based on organizational circumstances.

    Bank cloud vision

    [Bank] will provide innovative financial and related services by taking advantage of the multiplicity of best-of-breed solutions available in the cloud. These solutions make it possible to benefit from industry-level innovations, while ensuring efficiency, redundancy, and enhanced security.

    Bank cloud decision workflow

    • SaaS
      • Platform?
        • Yes
          • PaaS
        • No
          • Hosted
        • IaaS
          • Other

    Non-cloud

    Cloud

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this crticial project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off imediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge the take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Phase 1

    • Call #1: Discuss current state, challenges, etc.
    • Call #2: Goals, drivers, and current state.

    Phase 2

    • Call #3: Conduct cloud suitability assessment for selected workloads.

    Phase 3

    • Call #4: Generate and categorize risks.
    • Call #5: Begin the risk mitigation conversation.

    Phase 4

    • Call #6: Complete the risk mitigation process
    • Call #7: Finalize vision statement and cloud decision framework.

    Workshop Overview

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Offsite day
    Understand the cloud Assess workloads Identify and mitigate risks Bridge the gap and create the strategy Next steps and wrap-up (offsite)
    Activities

    1.1 Introduction

    1.2 Generate corporate goals and cloud drivers

    1.3 Identify success indicators

    1.4 Explore cloud characteristics

    1.5 Explore cloud service and delivery models

    1.6 Define cloud support models and strategy components

    1.7 Create current state summaries for the different service and delivery models

    1.8 Select workloads for further analysis

    2.1 Conduct workload assessments using the cloud strategy workbook tool

    2.2 Discuss assessments and make preliminary determinations about workloads

    3.1 Generate a list of risks and potential roadblocks associated with the cloud

    3.2 Sort risks and roadblocks and define categories

    3.3 Identify mitigations for each identified risk and roadblock

    3.4 Generate initiatives from the mitigations

    4.1 Review and assign work items

    4.2 Finalize the decision framework for each of the following areas:

    • Service model
    • Delivery model
    • Support model

    4.3 Create a cloud vision statement

    5.1 Build the Cloud Vision Executive Presentation
    Deliverables
    1. Corporate goals and cloud drivers
    2. Success indicators
    3. Current state summaries
    4. List of workloads for further analysis
    1. Completed workload assessments
    2. Workload summary statements
    1. List of risks and roadblocks, categorized
    2. List of mitigations
    3. List of initiatives
    1. Finalized task list
    2. Formal cloud decision rubric
    3. Cloud vision statement
    1. Completed cloud strategy executive presentation
    2. Completed cloud vision workbook

    Understand the cloud

    Build the foundations of your cloud vision

    Phase 1

    Phase 1

    Understand the Cloud

    Phase 1

    1.1 Generate goals and drivers

    1.2 Explore cloud characteristics

    1.3 Create a current state summary

    1.4 Select workloads for analysis

    Phase 2

    2.1 Conduct workload assessments

    2.2 Determine workload future states

    Phase 3

    3.1 Generate risks and roadblocks

    3.2 Mitigate risks and roadblocks

    3.3 Define roadmap initiatives

    Phase 4

    4.1 Review and assign work items

    4.2 Finalize cloud decision framework

    4.3 Create cloud vision

    This phase will walk you through the following activities:

    1.1.1 Generate organizational goals

    1.1.2 Define cloud drivers

    1.1.3 Define success indicators

    1.3.1 Record your current state

    1.4.1 Select workloads for further assessment

    This phase involves the following participants:

    IT management, the core working group, security, infrastructure, operations, architecture, engineering, applications, non-IT stakeholders.

    It starts with shared understanding

    Stakeholders must agree on overall goals and what “cloud” means

    The cloud is a nebulous term that can reasonably describe services ranging from infrastructure as a service as delivered by providers like Amazon Web Services and Microsoft through its Azure platform, right up to software as a service solutions like Jira or Salesforce. These solutions solve different problems – just because your CRM would be a good fit for a migration to Salesforce doesn’t mean the same system would make sense in Azure or AWS.

    This is important because the language we use to talk about the cloud can color our approach to cloud services. A “cloud-first” strategy will mean something different to a CEO with a concept of the cloud rooted in Salesforce than it will to a system administrator who interprets it to mean a transition to cloud-hosted virtual machines.

    Add to this the fact that not all cloud services are hosted externally by providers (public clouds) and the fact that multiple delivery models can be engaged at once through hybrid or multi-cloud approaches, and it’s apparent that a shared understanding of the cloud is necessary for a coherent strategy to take form.

    This phase proceeds in four steps, each governed by the principle of shared understanding. The first requires a shared understanding of corporate goals and drivers. Step 2 involves coming to a shared understanding of the cloud’s unique characteristics. Step 3 requires a review of the current state. Finally, in Step 4, participants will identify workloads that are suitable for analysis as candidates for the cloud.

    Step 1.1

    Generate goals and drivers

    Activities

    1.1.1 Define organizational goals

    1.1.2 Define cloud drivers

    1.1.3 Define success indicators

    Generate goals and drivers

    Explore cloud characteristics

    Create a current state summary

    Select workloads for analysis

    This step involves the following participants:

    • IT management
    • Core working group
    • Security
    • Applications
    • Infrastructure
    • Service management
    • Leadership

    Outcomes of this step

    • List of organizational goals
    • List of cloud drivers
    • Defined success indicators

    What can the cloud do for you?

    The cloud is not valuable for its own sake, and not all users derive the same value

    • The cloud is characterized by on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Any or all of those characteristics might be enough to make the cloud appealing, but in most cases, there is an overriding driver.
    • Multiple paths may lead to the cloud. Consider an organization with a need to control costs by showing back to business units, or perhaps by reducing capital expenditure – the cloud may be the most appropriate way to effect these changes. Conversely, an organization expanding rapidly and with a need to access the latest and greatest technology might benefit from the elasticity and pooled resources that major cloud providers can offer.
    • In these cases, the destination might be the same (a cloud solution) but the delivery model – public, private, or hybrid – and the decisions made around the key strategy components, including architecture, provisioning, and cost management, will almost certainly be different.
    • Defining goals, understanding cloud drivers, and – crucially – understanding what success means, are all therefore essential elements of the cloud vision process.

    1.1.1 Generate organizational goals

    1-3 hours

    Input

    • Strategy documentation

    Output

    • Organizational goals

    Materials

    • Whiteboard (digital/physical)

    Participants

    • IT leadership
    • Infrastructure
    • Applications
    • Security
    1. As a group, brainstorm organizational goals, ideally based on existing documentation
      • Review relevant corporate and IT strategies.
      • If you do not have access to internal documentation, review the standard goals on the next slide and select those that are most relevant for you.
    2. Record the most important business goals in the Cloud Vision Executive Presentation. Include descriptions where possible to ensure wide readability.
    3. Make note of these goals. They should inform the answers to prompts offered in the Cloud Vision Workbook and should be a consistent presence in the remainder of the visioning exercise. If you’re conducting the session in person, leave the goals up on a whiteboard and make reference to them throughout the workshop.

    Cloud Vision Executive Presentation

    Standard COBIT 19 enterprise goals

    1. Portfolio of competitive products and services
    2. Managed business risk
    3. Compliance with external laws and regulations
    4. Quality of financial information
    5. Customer-oriented service culture
    6. Business service continuity and availability
    7. Quality of management information
    8. Optimization of internal business process functionality
    9. Optimization of business process costs
    10. Staff skills, motivation, and productivity
    11. Compliance with internal policies
    12. Managed digital transformation programs
    13. Product and business innovation

    1.1.2 Define cloud drivers

    30-60 minutes

    Input

    • Organizational goals
    • Strategy documentation
    • Management/staff perspective

    Output

    • List of cloud drivers

    Materials

    • Sticky notes
    • Whiteboard
    • Markers

    Participants

    • IT leadership
    • Infrastructure
    • Applications
    • Security
    1. Cloud drivers sit at a level of abstraction below organizational goals. Keeping your organizational goals in mind, have each participant in the session write down how they expect to benefit from the cloud on a sticky note.
    2. Solicit input one at a time and group similar responses. Encourage participants to bring forward their cloud goals even if similar goals have been mentioned previously. The number of mentions is a useful way to gauge the relative weight of the drivers.
    3. Once this is done, you should have a few groups of similar drivers. Work with the group to name each category. This name will be the driver reported in the documentation.
    4. Input the results of the exercise into the Cloud Vision Executive Presentation, and include descriptions based on the constituent drivers. For example, if a driver is titled “do more valuable work,” the constituent drivers might be “build cloud skills,” “focus on core products,” and “avoid administration work where possible.” The description would be based on these components.

    Cloud Vision Executive Presentation

    1.1.3 Define success indicators

    1 hour

    Input

    • Cloud drivers
    • Organizational goals

    Output

    • List of cloud driver success indicators

    Materials

    • Whiteboard
    • Markers

    Participants

    • IT leadership
    • Infrastructure
    • Applications
    • Security
    1. On a whiteboard, draw a table with each of the cloud drivers (identified in 1.1.2) across the top.
    2. Work collectively to generate success indicators for each cloud driver. In this case, a success indicator is some way you can report your progress with the stated driver. It is a real-world proxy for the sometimes abstract phenomena that make up your drivers. Think about what would be true if your driver was realized.
      1. For example, if your driver is “faster access to resources,” you might consider indicators like developer satisfaction, project completion time, average time to provision, etc.
    3. Once you are satisfied with your list of indicators, populate the slide in the Cloud Vision Executive Presentation for validation from stakeholders.

    Cloud Vision Executive Presentation

    Step 1.2

    Explore cloud characteristics

    Activities

    Understand the value of the cloud:

    • Review delivery models
    • Review support models
    • Review service models
    • Review migration paths

    Understand the Cloud

    Generate goals and drivers

    Explore cloud characteristics

    Create a current state summary

    Select workloads for analysis

    This step involves the following participants:

    • Core working group
    • Architecture
    • Engineering
    • Security

    Outcomes of this step

    • Understanding of cloud service models and value

    Defining the cloud

    Per NIST, the cloud has five fundamental characteristics. All clouds have these characteristics, even if they are executed in somewhat different ways between delivery models, service models, and even individual providers.

    Cloud characteristics

    On-demand self-service

    Cloud customers are capable of provisioning cloud resources without human interaction (e.g. contacting sales), generally through a web console.

    Broad network access

    Capabilities are designed to be delivered over a network and are generally intended for access by a wide variety of platform types (cloud services are generally device-agnostic).

    Resource pooling

    Multiple customers (internal, in the case of private clouds) make use of a highly abstracted shared infrastructure managed by the cloud provider.

    Rapid elasticity

    Customers are capable of provisioning additional resources as required, pulling from a functionally infinite pool of capacity. Cloud resources can be spun-down when no longer needed.

    Measured service

    Consumption is metered based on an appropriate unit of analysis (number of licenses, storage used, compute cycles, etc.) and billing is transparent and granular.

    Cloud delivery models

    The NIST definition of cloud computing outlines four cloud delivery models: public, private, hybrid, and community clouds. A community cloud is like a private cloud, but it is provisioned for the exclusive use of a like-minded group of organizations, usually in a mutually beneficial, non-competitive arrangement. Universities and hospitals are examples of organizations that can pool their resources in this way without impacting competitiveness. The Info-Tech model covers three key delivery models – public, private, and hybrid, and an overarching model (multi-cloud) that can comprise more than one of the other models – public + public, public + hybrid, etc.

    Public

    The cloud service is provisioned for access by the general public (customers).

    Private

    A private cloud has the five key characteristics, but is provisioned for use by a single entity, like a company or organization.

    Hybrid

    Hybridity essentially refers to interoperability between multiple cloud delivery models (public +private).

    Multi

    A multi-cloud deployment requires only that multiple clouds are used without any necessary interoperability (Nutanix, 2019).

    Public cloud

    This is what people generally think about when they talk about cloud

    • The public cloud is, well, public! Anyone can make use of its resources, and in the case of the major providers, capacity is functionally unlimited. Need to store exabytes of data in the cloud? No problem! Amazon will drive a modified shipping container to your datacenter, load it up, and “migrate” it to a datacenter.
    • Public clouds offer significant variety on the infrastructure side. Major IaaS providers, like Microsoft and Amazon, offer dozens of services across many different categories including compute, networking, and storage, but also identity, containers, machine learning, virtual desktops, and much, much more. (See a list from Microsoft here, and Amazon here)
    • There are undoubtedly strengths to the public cloud model. Providers offer the “latest and greatest” and customers need not worry about the details, including managing infrastructure and physical locations. Providers offer built-in redundancy, multi-regional deployments, automation tools, management and governance solutions, and a variety of leading-edge technologies that would not be feasible for organizations to run in-house, like high performance compute, blockchain, or quantum computing.
    • Of course, the public cloud is not all sunshine and rainbows – there are downsides as well. It can be expensive; it can introduce regulatory complications to have to trust another entity with your key information. Additionally, there can be performance hiccups, and with SaaS products, it can be difficult to monitor at the appropriate (per-transaction) level.

    Prominent examples include:

    AWS

    Microsoft

    Azure

    Salesforce.com

    Workday

    SAP

    Private cloud

    A lower-risk cloud for cloud-averse customers?

    • A cloud is a cloud, no matter how small. Some IT shops deploy private clouds that make use of the five key cloud characteristics but provisioned for the exclusive use of a single entity, like a corporation.
    • Private clouds have numerous benefits. Some potential cloud customers might be uncomfortable with the shared responsibility that is inherent in the public cloud. Private clouds allow customers to deliver flexible, measured services without having to surrender control, but they require significant overhead, capital expenditure, administrative effort, and technical expertise.
    • According to the 2021 State of the Cloud Report, private cloud use is common, and the most frequently cited toolset is VMware vSphere, followed by Azure Stack, OpenStack, and AWS Outposts. Private cloud deployments are more common in larger organizations, which makes sense given the overhead required to manage such an environment.

    Private cloud adoption

    The images shows a graph titled Private Cloud Adoption for Enterprises. It is a horizontal bar graph, with three segments in each bar: dark blue marking currently use; mid blue marking experimenting; and light blue marking plan to use.

    VMware and Microsoft lead the pack among private cloud customers, with Amazon and Red Hat also substantially present across private cloud environments.

    Hybrid cloud

    The best of both worlds?

    Hybrid cloud architectures combine multiple cloud delivery models and facilitate some level of interoperability. NIST suggests bursting and load balancing as examples of hybrid cloud use cases. Note: it is not sufficient to simply have multiple clouds running in parallel – there must be a toolset that allows for an element of cross-cloud functionality.

    This delivery model is attractive because it allows users to take advantage of the strengths of multiple service models using a single management pane. Bursting across clouds to take advantage of additional capacity or disaster recovery capabilities are two obvious use cases that appeal to hybrid cloud users.

    But while hybridity is all the rage (especially given the impact Covid-19 has had on the workplace), the reality is that any hybrid cloud user must take the good with the bad. Multiple clouds and a management layer can be technically complex, expensive, and require maintaining a physical infrastructure that is not especially valuable (“I thought we were moving to the cloud to get out of the datacenter!”).

    Before selecting a hybrid approach through services like VMware Cloud on AWS or Microsoft’s Azure Stack, consider the cost, complexity, and actual expected benefit.

    Amazon, Microsoft, and Google dominate public cloud IaaS, but IBM is betting big on hybrid cloud:

    The image is a screencap of a tweet from IBM News. The tweet reads: IBM CEO Ginni Rometty: Hybrid cloud is a trillion dollar market and we'll be number one #Think2019.

    With its acquisition of Red Hat in 2019 for $34 billion, Big Blue put its money where its mouth is and acquired a substantial hybrid cloud business. At the time of the acquisition, Red Hat’s CEO, Jim Whitehurst, spoke about the benefit IBM expected to receive:

    “Joining forces with IBM gives Red Hat the opportunity to bring more open source innovation to an even broader range of organizations and will enable us to scale to meet the need for hybrid cloud solutions that deliver true choice and agility” (Red Hat, 2019).

    Multi-cloud

    For most organizations, the multi-cloud is the most realistic option.

    Multi-cloud is popular!

    The image shows a graph titled Multi-Cloud Architectures Used, % of all Respondents. The largest percentage is Apps siloed on different clouds, followed by DAta integration between clouds.

    Multi-cloud solutions exist at a different layer of abstraction from public, private, and even hybrid cloud delivery models. A multi-cloud architecture, as the name suggests, requires the user to be a customer of more than one cloud provider, and it can certainly include a hybrid cloud deployment, but it is not bound by the same rules of interoperability.

    Many organizations – especially those with fewer resources or a lack of a use case for a private cloud – rely on a multi-cloud architecture to build applications where they belong, and they manage each environment separately (or occasionally with the help of cloud management platforms).

    If your data team wants to work in AWS and your enterprise services run on basic virtual machines in Azure, that might be the most effective architecture. As the Flexera 2021 State of the Cloud Report suggests, this architecture is far more common than the more complicated bursting or brokering architectures characteristic of hybrid clouds.

    NIST cloud service models

    Software as a service

    SaaS has exploded in popularity with consumers who wish to avail themselves of the cloud’s benefits without having to manage underlying infrastructure components. SaaS is simple, generally billed per-user per-month, and is almost entirely provider-managed.

    Platform as a service

    PaaS providers offer a toolset for their customers to run custom applications and services without the requirement to manage underlying infrastructure components. This service model is ideal for custom applications/services that don’t benefit from highly granular infrastructure control.

    Infrastructure as a service

    IaaS represents the sale of components. Instead of a service, IaaS providers sell access to components, like compute, storage, and networking, allowing for customers to build anything they want on top of the providers’ infrastructure.

    Cloud service models

    • This research focuses on five key service models, each of which has its own strengths and weaknesses. Moving right from “on-prem,” customers gradually give up more control over their environments to cloud service providers.
    • An entirely premises-based environment means that the customer is responsible for everything ranging from the dirt under the datacenter to application-level configurations. Conversely, in a SaaS environment, the provider is responsible for everything but those top-level application configurations.
    • A managed service provider or other third party can manage any or of the components of the infrastructure stack. A service provider may, for example, build a SaaS solution on top of another provider’s IaaS, or might offer configuration assistance with a commercially available SaaS.

    Info-Tech Insight

    Not all workloads fit well in the cloud. Many environments will mix service models (e.g. SaaS for some workloads, some in IaaS, some on-premises), and this can be perfectly effective. It must be consistent and intentional, however.

    On-prem Co-Lo IaaS PaaS SaaS
    Application Application Application Application Application
    Database Database Database Database Database
    Runtime/ Middleware Runtime/ Middleware Runtime/ Middleware Runtime/ Middleware Runtime/ Middleware
    OS OS OS OS OS
    Hypervisor Hypervisor Hypervisor Hypervisor Hypervisor
    Server Network Storage Server Network Storage Server Network Storage Server Network Storage Server Network Storage
    Facilities Facilities Facilities Facilities Facilities

    Organization has control

    Organization or vendor may control

    Vendor has control

    Analytics folly

    SaaS is good, but it’s not a panacea

    Industry: Healthcare

    Source: Info-Tech workshop

    Situation

    A healthcare analytics provider had already moved a significant number of “non-core workloads” to the cloud, including email, HRIS, and related services.

    The company CEO was satisfied with the reduced effort required by IT to manage SaaS-based workloads and sought to extend the same benefits to the core analytics platform where there was an opportunity to reduce overhead.

    Complication

    Many components of the health analytics service were designed to run specifically in a datacenter and were not ready to be migrated to the cloud without significant effort/refactoring. SaaS was not an option because this was a core platform – a SaaS provider would have been the competition.

    That left IaaS, which was expensive and would not bring the expected benefits (reduced overhead).

    Results

    The organization determined that there were no short-term gains from migrating to the cloud. Due to the nature of the application (its extensive customization, the fact that it was a core product sold by the company) any steps to reduce operational overhead were not feasible.

    The CEO recognized that the analytics platform was not a good candidate for the cloud and what distinguished the analytics platform from more suitable workloads.

    Migration paths

    In a 2016 blog post, Amazon Web Services articulated a framework for cloud migration that incorporates elements of the journey as well as the destination. If workload owners do not choose to retain or retire their workloads, there are four alternatives. These alternatives all stack up differently along five key dimensions:

    1. Value: does the workload stand to benefit from unique cloud characteristics? To what degree?
    2. Effort: how much work would be required to make the transition?
    3. Cost: how much money is the migration expected to cost?
    4. Time: how long will the migration take?
    5. Skills: what skills must be brought to bear to complete the migration?

    Not all migration paths can lead to all destinations. Rehosting generally means IaaS, while repurchasing leads to SaaS. Refactoring and replatforming have some variety of outcomes, and it becomes possible to take advantage of new IaaS architectures or migrate workloads over fully to SaaS.

    As part of the workload assessment process, use the five dimensions (expanded upon on the next slide) to determine what migration path makes sense. Preferred migration paths form an important part of the overall cloud vision process.

    Retain (Revisit)

    • Keep the application in its current form, at least for now. This doesn’t preclude revisiting it in the future.

    Retire

    • Get rid of the application completely.

    Rehost

    • Move the application to the cloud (IaaS) and continue to run it in more or less the same form as it currently runs.

    Replatform

    • Move the application to the cloud and perform a few changes for cloud optimizations.

    Refactor

    • Rewrite the application, taking advantage of cloud native architectures.

    Repurchase

    • Replace with an alternative, cloud-native application and migrate the data.

    Migration paths – relative value

    Migration path Value Effort Cost Time Skills
    Retain No real change in the absolute value of the workload if it is retained. No effort beyond ongoing workload maintenance. No immediate hard dollar costs, but opportunity costs and technical debt abound. No time required! (At least not right away…) Retaining requires the same skills it has always required (which may be more difficult to acquire in the future).
    Rehire A retired workload can provide no value, but it is not a drain! Spinning a service down requires engaging that part of the lifecycle. N/A Retiring the service may be simple or complicated depending on its current role. N/A
    Rehost Some value comes with rehosting, but generally components stay the same (VM here vs. a VM there). Minimal effort required, especially with automated tools. The effort will depend on the environment being migrated. Relatively cheap compared to other options. Rehosting infrastructure is the simplest cloud migration path and is useful for anyone in a hurry. Rehosting is the simplest cloud migration path for most workloads, but it does require basic familiarity with cloud IaaS.

    Replatform

    Replatformed workloads can take advantage of cloud-native services (SQL vs. SQLaaS). Replatforming is more effortful than rehosting, but less effortful than refactoring. Moderate cost – does not require fundamental rearchitecture, just some tweaking. Relatively more complicated than a simple rehost, but less demanding than a refactor. Platform and workload expertise is required; more substantial than a simple rehost.
    Refactor A fully formed, customized cloud-based workload that can take advantage of cloud-native architectures is generally quite valuable. Significant effort required based on the requirement to engage the full SDLC. Significant cost required to engage SDLC and rebuild the application/service. The most complicated and time-consuming. The most complicated and time-consuming.
    Repurchase Repurchasing is the quickest way to achieve cloud-native value. There are compromises, however (high cost, vendor-lock-in). Repurchasing is the quickest way to achieve cloud-native value. There are compromises, however (high cost, vendor-lock-in). Repurchasing is the quickest way to achieve cloud-native value. There are compromises, however (high cost, vendor-lock-in). Configuration – especially for massive projects – can be time consuming, but in general repurchasing can be quite fast. Buying software does require knowledge of requirements and integrations, but is otherwise quite simple.

    Where should you get your cloud skills?

    Cloud skills are certainly top of mind right now. With the great upheaval in both work patterns and in the labor market more generally, expertise in cloud-related areas is simultaneously more valuable and more difficult to procure. According to Pluralsight’s 2021 “State of Upskilling” report, 44% of respondents report themselves under-skilled in the cloud management area, making cloud management the most significant skill gap reported on the survey.

    Everyone left the office. Work as we know it is fundamentally altered for a generation or more. Cloud services shot up in popularity by enabling the transition. And yet there is a gap – a prominent gap – in skilling up for this critically important future. What is the cloud manager to do?

    Per the framework presented here, that manager has three essential options. They may take somewhat different forms depending on specific requirements and the quirks of the local market, but the options are:

    1. Train or hire internal resources: This might be easier said than done, especially for more niche skills, but makes sense for workloads that are critical to operations for the long term.
    2. Engage a managed service provider: MSPs are often engaged to manage services where internal IT lacks bandwidth or expertise.
    3. Hire a consultant: Consultants are great for time-bound implementation projects where highly specific expertise is required, such as a migration or implementation project.

    Each model makes sense to some degree. When evaluating individual workloads for cloud suitability, it is critical to consider the support model – both immediate and long term. What makes sense from a value perspective?

    Cloud decisions – summary

    A key component of the Info-Tech cloud vision model is that it is multi-layered. Not every decision must be made at every level. At the workload level, it makes sense to select service models that make sense, but each workload does not need its own defined vision. Workload-level decisions should be guided by an overall strategy but applied tactically, based on individual workload characteristics and circumstances.

    Conversely, some decisions will inevitably be applied at the environment level. With some exceptions, it is unlikely that cloud customers will build an entire private/hybrid cloud environment around a single solution; instead, they will define a broader strategy and fit individual workloads into that strategy.

    Some considerations exist at both the workload and environment levels. Risks and roadblocks, as well as the preferred support model, are concerns that exist at both the environment level and at the workload level.

    The image is a Venn diagram, with the left side titled Workload level, and the right side titled Environment Level. In the left section are: service model and migration path. On the right section are: Overall vision and Delivery model. In the centre section are: support model and Risks and roadblocks.

    Step 1.3

    Create a current state summary

    Activities

    1.3.1 Record your current state

    Understand the Cloud

    Generate goals and drivers

    Explore cloud characteristics

    Create a current state summary

    Select workloads for analysis

    This step involves the following participants: Core working group

    Outcomes of this step

    • Current state summary of cloud solutions

    1.3.1 Record your current state

    30 minutes

    Input

    • Knowledge of existing cloud workloads

    Output

    • Current state cloud summary for service, delivery, and support models

    Materials

    • Whiteboard

    Participants

    • Core working group
    • Infrastructure team
    • Service owners
    1. On a whiteboard (real or virtual) draw a table with each of the cloud service models across the top. Leave a cell below each to list examples.
    2. Under each service model, record examples present in your environment. The purpose of the exercise is to illustrate the existence of cloud services in your environment or the lack thereof, so there is no need to be exhaustive. Complete this in turn for each service model until you are satisfied that you have created an effective picture of your current cloud SaaS state, IaaS state, etc.
    3. Input the results into their own slide titled “current state summary” in the Cloud Vision Executive Presentation.
    4. Repeat for the cloud delivery models and support models and include the results of those exercises as well.
    5. Create a short summary statement (“We are primarily a public cloud consumer with a large SaaS footprint and minimal presence in PaaS and IaaS. We retain an MSP to manage our hosted telephony solution; otherwise, everything is handled in house.”

    Cloud Vision Executive Presentation

    Step 1.4

    Select workloads for current analysis

    Activities

    1.4.1 Select workloads for assessment

    This step involves the following participants:

    • Core working group

    Outcomes of this step

    • List of workloads for assessment

    Understand the cloud

    Generate goals and drivers

    Explore cloud characteristics

    Create a current state summary

    Select workloads for analysis

    1.4.1 Select workloads for assessment

    30 minutes

    Input

    • Knowledge of existing cloud workloads

    Output

    • List of workloads to be assessed

    Materials

    • Whiteboard
    • Cloud Vision Workbook

    Participants

    • Core working group
    • IT management
    1. In many cases, the cloud project is inspired by a desire to move a particular workload or set of workloads. Solicit feedback from the core working group about what these workloads might be. Ask everyone in the meeting to suggest a workload and record each one on a sticky note or white board (virtual or physical).
    2. Discuss the results with the group and begin grouping similar workloads together. They will be subject to the assessments in the Cloud Vision Workbook, so try to avoid selecting too many workloads that will produce similar answers. It might not be obvious, but try to think about workloads that have similar usage patterns, risk levels, and performance requirements, and select a representative group.
    3. You should embrace counterintuition by selecting a workload that you think is unlikely to be a good fit for the cloud if you can and subjecting it to the assessment as well for validation purposes.
    4. When you have a list of 4-6 workloads, record them on tab 2 of the Cloud Vision Workbook.

    Cloud Vision Workbook

    Assess your cloud workloads

    Build the foundations of your cloud vision

    Phase 2

    Phase 2

    Evaluate Cloud Workloads

    Phase 1

    1.1 Generate goals and drivers

    1.2 Explore cloud characteristics

    1.3 Create a current state summary

    1.4 Select workloads for analysis

    Phase 2

    2.1 Conduct workload assessments

    2.2 Determine workload future states

    Phase 3

    3.1 Generate risks and roadblocks

    3.2 Mitigate risks and roadblocks

    3.3 Define roadmap initiatives

    Phase 4

    4.1 Review and assign work items

    4.2 Finalize cloud decision framework

    4.3 Create cloud vision

    This phase will walk you through the following activities:

    • Conduct workload assessments
    • Determine workload future state

    This phase involves the following participants:

    • Subject matter experts
    • Core working group
    • IT management

    Define Your Cloud Vision

    Work from the bottom up and assess your workloads

    A workload-first approach will help you create a realistic vision.

    The concept of a cloud vision should unquestionably be informed by the nature of the workloads that IT is expected to provide for the wider organization. The overall cloud vision is no greater than the sum of its parts. You cannot migrate to the cloud in the abstract. Workloads need to go – and not all workloads are equally suitable for the transition.

    It is therefore imperative to understand which workloads are a good fit for the cloud, which cloud service models make the most sense, how to execute the migration, what support should look like, and what risks and roadblocks you are likely to encounter as part of the process.

    That’s where the Cloud Vision Workbook comes into play. You can use this tool to assess as many workloads as you’d like – most people get the idea after about four – and by the end of the exercise, you should have a pretty good idea about where your workloads belong, and you’ll have a tool to assess any net new or previously unconsidered workloads.

    It’s not so much about the results of the assessment – though these are undeniably important – but about the learnings gleaned from the collaborative assessment exercise. While you can certainly fill out the assessment without any additional input, this exercise is most effective when completed as part of a group.

    Introducing the Cloud Vision Workbook

    • The Cloud Vision Workbook is an Excel tool that answers the age old question: “What should I do with my workloads?”
    • It is divided into eight tabs, each of which offers unique value. Start by reading the introduction and inputting your list of workloads. Work your way through tabs 3-6, completing the suitability, migration, management, and risk and roadblock assessments, and review the results on tab 7.
    • If you choose to go through the full battery of assessments for each workload, expect to answer and weight 111 unique questions across the four assessments. This is an intensive exercise, so carefully consider which assessments are valuable to you, and what workloads you have time to assess.
    • Tab 8 hosts the milestone timeline and captures the results of the phase 3 risk and mitigation exercise.

    Understand Cloud Vision Workbook outputs

    The image shows a graphic with several graphs and lists on it, with sections highlighted with notes. At the top, there's the title Database with the note Workload title (populated from tab 2). Below that, there is a graph with the note Relative suitability of the five service models. The Risks and roadblocks section includes the note: The strategy components – the risks and roadblocks – are captured relative to one another to highlight key focus areas. To the left of that, there is a Notes section with the note Notes populated based on post-assessment discussion. At the bottom, there is a section titled Where should skills be procured?, with the note The radar diagram captures the recommended support model relative to the others (MSP, consultant, internal IT). To the right of that, there is a section titled Migration path, with the note that Ordered list of migration paths. Note: a disconnect here with the suggested service model may indicate an unrealistic goal state.

    Step 2.1

    Conduct workload assessments

    Activities

    2.1.1 Conduct workload assessments

    2.1.2 Interpret your results

    Phase Title

    Conduct workload assessments

    Determine workload future state

    This step involves the following participants:

    • Core working group
    • Workload subject matter experts

    Outcomes of this step

    • Completed workload assessments

    2.1.1 Conduct workload assessments

    2 hours per workload

    Input

    • List of workloads to be assessed

    Output

    • Completed cloud vision assessments

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    • Service owners/workload SMEs
    1. The Cloud Vision Workbook is your one stop shop for all things workload assessment. Open the tool to tab 2 and review the workloads you identified at the end of phase 1. Ensure that these are correct. Once satisfied, project the tool (virtually, if necessary) so that all participants can see the assessment questions.
    2. Work through tabs 3-6, answering the questions and assigning a multiplier for each one. A higher multiplier increases the relative weight of the question, giving it a greater impact on the overall outcome.
    3. Do your best to induce participants to offer opinions. Consensus is not absolutely necessary, but it is a good goal. Ask your participants if they agree with initial responses and occasionally take the opposite position (“I’m surprised you said agree – I would have thought we didn’t care about CapEx vs. OpEx”). Stimulate discussion.
    4. Highlight any questions that you will need to return to or run by someone not present. Include a placeholder answer, as the tool requires all cells to be filled for computation.

    Cloud Vision Workbook

    2.1.2 Interpret your results

    10 minutes

    Input

    • Completed cloud vision assessments

    Output

    • Shared understanding of implications

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    • Service owners/workload SMEs
    1. Once you’ve completed all 111 questions for each workload, you can review your results on tab 7. On tab 7, you will see four populated graphics: cloud suitability, migration path, “where should skills be procured?”, and risks and roadblocks. These represent the components of the overall cloud vision that you will present to stakeholders.
    2. The “cloud suitability” chart captures the service model that the assessment judges to be most suitable for the workload. Ask those present if any are surprised by the output. If there is any disagreement, discuss the source of the surprise and what a more realistic outcome would be. Revisit the assessment if necessary.
    3. Conduct a similar exercise with each of the other outputs. Does it make sense to refactor the workload based on its cloud suitability? Does the fact that we scored so highly on the “consultant” support model indicate something about how we handle upskilling internally? Does the profile of risks and roadblocks identified here align with expectations? What should be ranked higher? What about lower?
    4. Once everyone is generally satisfied with the results, close the tool and take a break! You’ve earned it.

    Cloud Vision Workbook

    Understand the cloud strategy components

    Each cloud strategy will take a slightly different form, but all should contain echoes of each of these components. This process will help you define your vision and direction, but you will need to take steps to execute on that vision. The remainder of the cloud strategy, covered in the related blueprint Document Your Cloud Strategy comprises these fourteen topics divided across three categories: people, governance, and technology. The workload assessment covers these under risks and roadblocks and highlights areas that may require specific additional attention. When interpreting the results, think of these areas as comprising things that you will need to do to make your vision a reality.

    People

    • Skills and roles
    • Culture and adoption
    • Governing bodies

    Governance

    • Architecture
    • Integration and interoperability
    • Operations management
    • Cloud portfolio management
    • Cloud vendor management
    • Finance management
    • Security
    • Data controls

    Technology

    • Monitoring
    • Provisioning
    • Migration

    Strategy component: People

    People form the core of any good strategy. As part of your cloud vision, you will need to understand the implications a cloud transition will have on your staff and users, whether those users are internal or external.

    Component Description Challenges
    Skills and roles The move to the cloud will require staff to learn how to handle new technology and new operational processes. The cloud is a different way of procuring IT resources and may require the definition of new roles to handle things like cost management and provisioning. Staff may not have the necessary experience to migrate to a cloud environment or to effectively manage resources once the cloud transition is made. Cloud skills are difficult to hire for, and with the ever-changing nature of the platforms themselves, this shows no sign of abating. Redefining roles can also be politically challenging and should be done with due care and consideration.
    Culture and adoption If you build it, they will come…right? It is not always the case that a new service immediately attracts users. Ensuring that organizational culture aligns with the cloud vision is a critical success factor. Equally important is ensuring that cloud resources are used as intended. Those unfamiliar with cloud resources may be less willing to learn to use them. If alternatives exist (e.g. a legacy service that has not been shut down), or if those detractors are influential, this resistance may impede your cloud execution. Also, if the cloud transition involves significant effort or a fundamental rework (e.g. a DevOps transition) this role redefinition could cause some internal turmoil.
    Governing bodies A large-scale cloud deployment requires formal governance. Formal governance requires a governing body that is ultimately responsible for designing the said governance. This could take the form of a “center of excellence” or may rest with a single cloud architect in a smaller, less complicated environment. Governance is difficult. Defining responsibilities in a way that includes all relevant stakeholders without paralyzing the decision-making process is difficult. Implementing suggestions is a challenge. Navigating the changing nature of service provision (who can provision their own instances or assign licenses?) can be difficult as well. All these concerns must be addressed in a cloud strategy.

    Strategy component: Governance

    Without guardrails, the cloud deployment will grow organically. This has strengths (people tend to adopt solutions that they select and deploy themselves), but these are more than balanced out by the drawbacks that come with inconsistency, poor administration, duplication of services, suboptimal costing, and any number of other unique challenges. The solution is to develop and deploy governance. The following list captures some of the necessary governance-related components of a cloud strategy.

    Component Description Challenges
    Architecture Enterprise architecture is an important function in any environment with more than one interacting workload component (read: any environment). The cloud strategy should include an approach to defining and implementing a standard cloud architecture and should assign responsibility to an individual or group. Sometimes the cloud transition is inspired by the desire to rearchitect. The necessary skills and knowledge may not be readily available to design and transition to a microservices-based environment, for example, vs. a traditional monolithic application architecture. The appropriateness of a serverless environment may not be well understood, and it may be the case that architects are unfamiliar with cloud best practices and reference architectures.
    Integration and interoperability Many services are only highly functional when integrated with other services. What is a database without its front-end? What is an analytics platform without its data lake? For the cloud vision to be properly implemented, a strategy for handling integration and interoperability must be developed. It may be as simple as “all SaaS apps must be compatible with Okta” but it must be there. Migration to the cloud may require a fundamentally new approach to integration, moving away from a point-to-point integrations and towards an ESB or data lake. In many cases, this is easier said than done. Centralization of management may be appealing, but legacy applications – or those acquired informally in a one-off fashion – might not be so easy to integrate into a central management platform.
    Operations management Service management (ITIL processes) must be aligned with your overall cloud strategy. Migrating to the cloud (where applicable) will require refining these processes, including incident, problem, request, change, and configuration management, to make them more suitable for the cloud environment. Operations management doesn’t go away in the cloud, but it does change in line with the transition to shared responsibility. Responding to incidents may be more difficult on the cloud when troubleshooting is a vendor’s responsibility. Change management in a SaaS environment may be more receptive than staff are used to as cloud providers push changes out that cannot be rolled back.

    Strategy component: Governance (cont.)

    Component Description Challenges
    Cloud portfolio management This component refers to the act of managing the portfolio of cloud services that is available to IT and to business users. What requirements must a SaaS service meet to be onboarded into the environment? How do we account for exceptions to our IaaS policy? What about services that are only available from a certain provider? Rationalizing services offers administrative benefits, but may make some tasks more difficult for end users who have learned things a certain way or rely on niche toolsets. Managing access through a service catalog can also be challenging based on buy-in and ongoing administration. It is necessary to develop and implement policy.
    Cloud vendor management Who owns the vendor management function, and what do their duties entail? What contract language must be standard? What does due diligence look like? How should negotiations be conducted? What does a severing of the relationship look like? Cloud service models are generally different from traditional hosted software and even from each other (e.g. SaaS vs. PaaS). There is a bit of a learning curve when it comes to dealing with vendors. Also relevant: the skills that it takes to build and maintain a system are not necessarily the same as those required to coherently interact with a cloud vendor.
    Finance management Cloud services are, by definition, subject to a kind of granular, operational billing that many shops might not be used to. Someone will need to accurately project and allocate costs, while ensuring that services are monitored for cost abnormalities. Cloud cost challenges often relate to overall expense (“the cloud is more expensive than an alternative solution”), expense variability (“I don’t know what my budget needs to be this quarter”), and cost complexity (“I don’t understand what I’m paying for – what’s an Elastic Beanstalk?”).
    Security The cloud is not inherently more or less secure than a premises-based alternative, though the risk profile can be different. Applying appropriate security governance to ensure workloads are compliant with security requirements is an essential component of the strategy.

    Technical security architecture can be a challenge, as well as navigating the shared responsibility that comes with a cloud transition. There are also a plethora of cloud-specific security tools like cloud access security brokers (CASBs), cloud security posture management (CSPM) solutions, and even secure access services edge (SASE) technology.

    Data controls Data residency, classification, quality, and protection are important considerations for any cloud strategy. With cloud providers taking on outsized responsibility, understanding and governing data is essential. Cloud providers like to abstract away from the end user, and while some may be able to guarantee residency, others may not. Additionally, regulations may prevent some data from going to the cloud, and you may need to develop a new organizational backup strategy to account for the cloud.

    Strategy component: Technology

    Good technology will never replace good people and effective process, but it remains important in its own right. A migration that neglects the undeniable technical components of a solid cloud strategy is doomed to mediocrity at best and failure at worst. Understanding the technical implications of the cloud vision – particularly in terms of monitoring, provisioning, and migration – makes all the difference. You can interpret the results of the cloud workload assessments by reviewing the details presented here.

    Component Description Challenges
    Monitoring The cloud must be monitored in line with performance requirements. Staff must ensure that appropriate tools are in place to properly monitor cloud workloads and that they are capturing adequate and relevant data. Defining requirements for monitoring a potentially unfamiliar environment can be difficult, as can consolidating on a monitoring solution that both meets requirements and covers all relevant areas. There may be some upskilling and integration work required to ensure that monitoring works as required.
    Provisioning How will provisioning be done? Who will be responsible for ensuring the right people have access to the right resources? What tooling must be deployed to support provisioning goals? What technical steps must be taken to ensure that the provisioning is as seamless as possible? There is the inevitable challenge of assigning responsibility and accountability in a changing infrastructure and operations environment, especially if the changes are substantial (e.g. a fundamental operating model shift, reoriented around the cloud). Staff may also need to familiarize themselves with cloud-based provisioning tools like Ansible, Terraform, or even CloudFormation.
    Migration The act of migrating is important as well. In some cases, the migration is as simple as configuring the new environment and turning it up (e.g. with a net new SaaS service). In other cases, the migration itself can be a substantial undertaking, involving large amounts of data, a complicated replatforming/refactoring, and/or a significant configuration exercise.

    Not all migration journeys are created equal, and challenges include a general lack of understanding of the requirements of a migration, the techniques that might be necessary to migrate to a particular cloud (there are many) and the disruption/risk associated with moving large amounts of data. All of these challenges must be considered as part of the overall cloud strategy, whether in terms of architectural principles or skill acquisition (or both!).

    Step 2.2

    Determine workload future state

    Activities

    2.2.1 Determine workload future state

    Conduct workload assessments

    Determine workload future state

    This step involves the following participants:

    • IT management
    • Core working group

    Outcomes of this step

    • Completed workload assessments
    • Defined workload future state

    2.2.1 Determine workload future state

    1-3 hours

    Input

    • Completed workload assessments

    Output

    • Preliminary future state outputs

    Materials

    • Cloud Vision Workbook
    • Cloud Vision Executive Presentation

    Participants

    • Core working group
    • Service owners
    • IT management
    1. After you’ve had a chance to validate your results, refer to tab 7 of the tool, where you will find a blank notes section.
    2. With the working group, capture your answers to each of the following questions:
      1. What service model is the most suitable for the workload? Why?
      2. How will we conduct the migration? Which of the six models makes the most sense? Do we have a backup plan if our primary plan doesn’t work out?
      3. What should the support model look like?
      4. What are some workload-specific risks and considerations that must be taken into account for the workload?
    3. Once you’ve got answers to each of these questions for each of the workloads, include your summary in the “notes” section of tab 7.

    Cloud Vision Executive Presentation

    Paste the output into the Cloud Vision Executive Presentation

    • The Cloud Vision Workbook output is a compact, consumable summary of each workload’s planned future state. Paste each assessment in as necessary.
    • There is no absolutely correct way to present the information, but the output is a good place to start. Do note that, while the presentation is designed to lead with the vision statement, because the process is workload-first, the assessments are populated prior to the overall vision in a bottom-up manner.
    • Be sure to anticipate the questions you are likely to receive from any stakeholders. You may consider preparing for questions like: “What other workloads fit this profile?” “What do we expect the impact on the budget to be?” “How long will this take?” Keep these and other questions in mind as you progress through the vision definition process.

    The image shows the Cloud Vision Workbook output, which was described in an annotated version in an earlier section.

    Info-Tech Insight

    Keep your audience in mind. You may want to include some additional context in the presentation if the results are going to be presented to non-technical stakeholders or those who are not familiar with the terms or how to interpret the outputs.

    Identify and Mitigate Risks

    Build the foundations of your cloud vision

    PHASE 3

    Phase 3

    Identify and Mitigate Risks

    Phase 1

    1.1 Generate goals and drivers

    1.2 Explore cloud characteristics

    1.3 Create a current state summary

    1.4 Select workloads for analysis

    Phase 2

    2.1 Conduct workload assessments

    2.2 Determine workload future states

    Phase 3

    3.1 Generate risks and roadblocks

    3.2 Mitigate risks and roadblocks

    3.3 Define roadmap initiatives

    Phase 4

    4.1 Review and assign work items

    4.2 Finalize cloud decision framework

    4.3 Create cloud vision

    This phase will walk you through the following activities:

    • Generate risks and roadblocks
    • Mitigate risks and roadblocks
    • Define roadmap initiatives

    This phase involves the following participants:

    • Core working group
    • Workload subject matter experts

    You know what you want to do, but what do you have to do?

    What questions remain unanswered?

    There are workload-level risks and roadblocks, and there are environment-level risks. This phase is focused primarily on environment-level risks and roadblocks, or those that are likely to span multiple workloads (but this is not hard and fast rule – anything that you deem worth discussing is worth discussing). The framework here calls for an open forum where all stakeholders – technical and non-technical, pro-cloud and anti-cloud, management and individual contributor – have an opportunity to articulate their concerns, however specific or general, and receive feedback and possible mitigation.

    Start by soliciting feedback. You can do this over time or in a single session. Encourage anyone with an opinion to share it. Focus on those who are likely to have a perspective that will become relevant at some point during the creation of the cloud strategy and the execution of any migration. Explain the preliminary direction; highlight any major changes that you foresee. Remind participants that you are not looking for solutions (yet), but that you want to make sure you hear any and every concern as early as possible. You will get feedback and it will all be valuable.

    Before cutting your participants loose, remind them that, as with all business decisions, the cloud comes with trade-offs. Not everyone will have every wish fulfilled, and in some cases, significant effort may be needed to get around a roadblock, risks may need to be accepted, and workloads that looked like promising candidates for one service model or another may not be able to realize that potential. This is a normal and expected part of the cloud vision process.

    Once the risks and roadblocks conversation is complete, it is the core working group’s job to propose and validate mitigations. Not every risk can be completely resolved, but the cloud has been around for decades – chances are someone else has faced a similar challenge and made it through relatively unscathed. That work will inevitably result in initiatives for immediate execution. Those initiatives will form the core of the initiative roadmap that accompanies the completed Cloud Vision Executive Presentation.

    Step 3.1

    Generate risks and roadblocks

    Activities

    3.1.1 Generate risks and roadblocks

    3.1.2 Generate mitigations

    Identify and mitigate risks

    Generate risks and roadblocks

    Mitigate risks and roadblocks

    Define roadmap initiatives

    This step involves the following participants:

    • Core working group
    • IT management
    • Infrastructure
    • Applications
    • Security
    • Architecture

    Outcomes of this step

    • List of risks and roadblocks

    Understand risks and roadblocks

    Risk

    • Something that could potentially go wrong.
    • You can respond to risks by mitigating them:
      • Eliminate: take action to prevent the risk from causing issues.
      • Reduce: take action to minimize the likelihood/severity of the risk.
      • Transfer: shift responsibility for the risk away from IT, towards another division of the company.
      • Accept: where the likelihood or severity is low, it may be prudent to accept that the risk could come to fruition.

    Roadblock

    • There are things that aren’t “risks” that we care about when migrating to the cloud.
    • We know, for example, that a complicated integration situation will create work items for any migration – this is not an “unknown.”
    • We respond to roadblocks by generating work items.

    3.1.1 Generate risks and roadblocks

    1.5 hours

    Input

    • Completed cloud vision assessments

    Output

    • List of risks and roadblocks

    Materials

    • Whiteboard
    • Sticky notes

    Participants

    • Core working group
    • Service owners/workload SMEs
    • Anyone with concerns about the cloud
    1. Gather your core working group – and really anyone with an intelligent opinion on the cloud – into a single meeting space. Give the group 5-10 minutes to list anything they think could present a difficulty in transitioning workloads to the cloud. Write each risk/roadblock on its own sticky note. You will never be 100% exhaustive, but don’t let anything your users care about go unaddressed.
    2. Once everyone has had time to write down their risks and roadblocks, have everyone share one by one. Make sure you get them all. Overlap in risks and roadblocks is okay! Group similar concerns together to give a sort of heat map of what your participants are concerned about. (This is called “affinity diagramming.”)
    3. Assign names to these categories. Many of these categories will align with the strategy components discussed in the previous phase (governance, security, etc.) but some will be specific whether by nature or by degree.
    4. Sort each of the individual risks into its respective category, collapsing any exact duplicates, and leaving room for notes and mitigations (see the next slide for a visual).

    Understand risks and roadblocks

    The image is two columns--on the left, the column is titled Affinity Diagramming. Below the title, there are many colored blocks, randomly arranged. There is an arrow pointing right, to the same coloured blocks, now sorted by colour. In the right column--titled Categorization--each colour has been assigned a category, with subcategories.

    Step 3.2

    Mitigate risks and roadblocks

    Activities

    3.2.1 Generate mitigations

    Identify and mitigate risks

    Generate risks and roadblocks

    Mitigate risks and roadblocks

    Define roadmap initiatives

    This step involves the following participants:

    • Core working group

    Outcomes of this step

    • List of mitigations

    Is the public cloud less secure?

    This is the key risk-related question that most cloud customers will have to answer at some point: does migrating to the cloud for some services increase their exposure and create a security problem?

    As with all good questions, the answer is “it depends.” But what does it depend on? Consider these cloud risks and potential mitigations:

    1. Misconfiguration: An error grants access to unauthorized parties (as happened to Capital One in 2019). This can be mitigated by careful configuration management and third-party tooling.
    2. Unauthorized access by cloud provider/partner employees: Though rare, it is possible that a cloud provider or partner can be a vector for a breach. Careful contract language, choosing to own your own encryption keys, and a hybrid approach (storing data on-premises) are some possible ways to address this problem.
    3. Unauthorized access to systems: Cloud services are designed to be accessed from anywhere and may be accessed by malicious actors. Possible mitigations include risk-based conditional access, careful identity access management, and logging and detection.

    “The cloud is definitely more secure in that you have much more control, you have much more security tooling, much more visibility, and much more automation. So it is more secure. The caveat is that there is more risk. It is easier to accidentally expose data in the cloud than it is on-premises, but, especially for security, the amount of tooling and visibility you get in cloud is much more than anything we’ve had in our careers on-premises, and that’s why I think cloud in general is more secure.” –Abdul Kittana, Founder, ASecureCloud

    Breach bests bank

    No cloud provider can protect against every misconfiguration

    Industry: Finance

    Source: The New York Times, CNET

    Background

    Capital One is a major Amazon Web Services customer and is even featured on Amazon’s site as a case study. That case study emphasizes the bank’s commitment to the cloud and highlights how central security and compliance were. From the CTO: “Before we moved a single workload, we engaged groups from across the company to build a risk framework for the cloud that met the same high bar for security and compliance that we meet in our on-premises environments. AWS worked with us every step of the way.”

    Complication

    The cloud migration was humming along until July 2019, when the bank suffered a serious breach at the hands of a hacker. That hacker was able to steal millions of credit card applications and hundreds of thousands of Social Security numbers, bank account numbers, and Canadian social insurance numbers.

    According to investigators and to AWS, the breach was caused by an open reverse proxy attack against a misconfigured web app firewall, not by an underlying vulnerability in the cloud infrastructure.

    Results

    Capital One reported that the breach was expected to cost it $150 million, and AWS fervently denied any blame. The US Senate got involved, as did national media, and Capital One’s CEO issued a public apology, writing, “I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”

    It was a bad few months for IT at Capital One.

    3.2.1 Generate mitigations

    3-4.5 hours

    Input

    • Completed cloud vision assessments

    Output

    • List of risks and roadblocks

    Materials

    • Whiteboard
    • Sticky notes

    Participants

    • Core working group
    • Service owners/workload SMEs
    • Anyone with concerns about the cloud
    1. Recall the four mitigation strategies: eliminate, reduce, transfer, or accept. Keep these in mind as you work through the list of risks and roadblocks with the core working group. For every individual risk or roadblock raised in the initial generation session, suggest a specific mitigation. If the concern is “SaaS providers having access to confidential information,” a mitigation might be encryption, specific contract language, or proof of certifications (or all the above).
    2. Work through this for each of the risks and roadblocks, identifying the steps you need to take that would satisfy your requirements as you understand them.
    3. Once you have gone through the whole list – ideally with input from SMEs in particular areas like security, engineering, and compliance/legal – populate the Cloud Vision Workbook (tab 8) with the risks, roadblocks, and mitigations (sorted by category). Review tab 8 for an example of the output of this exercise.

    Cloud Vision Workbook

    Cloud Vision Workbook – mitigations

    The image shows a large chart titled Risks, roadblocks, and mitigations, which has been annotated with notes.

    Step 3.3

    Define roadmap initiatives

    Activities

    3.3.1 Generate roadmap initiatives

    Identify and mitigate risks

    Generate risks and roadblocks

    Mitigate risks and roadblocks

    Define roadmap initiatives

    This step involves the following participants:

    • Core working group

    Outcomes of this step

    • Defined roadmap initiatives

    3.3.1 Generate roadmap initiatives

    1 hour

    Input

    • List of risk and roadblock mitigations

    Output

    • List of cloud initiatives

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    1. Executing on your cloud vision will likely require you to undertake some key initiatives, many of which have already been identified as part of your mitigation exercise. On tab 8 of the Cloud Vision Workbook, review the mitigations you created in response to the risks and roadblocks identified. Initiatives should generally be assignable to a party and should have a defined scope/duration. For example, “assess all net new applications for cloud suitability” might not be counted as an initiative, but “design a cloud application assessment” would likely be.
    2. Design a timeline appropriate for your specific needs. Generally short-term (less than 3 months), medium-term (3-6 months), and long-term (greater than 6 months) will work, but this is entirely based on preference.
    3. Review and validate the parameters with the working group. Consider creating additional color-coding (highlighting certain tasks that might be dependent on a decision or have ongoing components).

    Cloud Vision Workbook

    Bridge the gap and create the vision

    Build the foundations of your cloud vision

    Phase 4

    Phase 4

    Bridge the Gap and Create the Vision

    Phase 1

    1.1 Generate goals and drivers

    1.2 Explore cloud characteristics

    1.3 Create a current state summary

    1.4 Select workloads for analysis

    Phase 2

    2.1 Conduct workload assessments

    2.2 Determine workload future states

    Phase 3

    3.1 Generate risks and roadblocks

    3.2 Mitigate risks and roadblocks

    3.3 Define roadmap initiatives

    Phase 4

    4.1 Review and assign work items

    4.2 Finalize cloud decision framework

    4.3 Create cloud vision

    This phase will walk you through the following activities:

    • Assign initiatives and propose timelines
    • Build a delivery model rubric
    • Build a service model rubric
    • Built a support model rubric
    • Create a cloud vision statement
    • Map cloud workloads
    • Complete the Cloud Vision presentation

    This phase involves the following participants:

    • IT management, the core working group, security, infrastructure, operations, architecture, engineering, applications, non-IT stakeholders

    Step 4.1

    Review and assign work items

    Activities

    4.1.1 Assign initiatives and propose timelines

    Bridge the gap and create the vision

    Review and assign work items

    Finalize cloud decision framework

    Create cloud vision

    This step involves the following participants:

    • Core working group
    • IT management

    Outcomes of this step

    • Populated cloud vision roadmap

    4.1.1 Assign initiatives and propose timelines

    1 hour

    Input

    • List of cloud initiatives

    Output

    • Initiatives assigned by responsibility and timeline

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    1. Once the list is populated, begin assigning responsibility for execution. This is not a RACI exercise, so focus on the functional responsibility. Once you have determined who is responsible, assign a timeline and include any notes. This will form the basis of a more formal project plan.
    2. To assign the initiative to a party, consider 1) who will be responsible for execution and 2) if that responsibility will be shared. Be as specific as possible, but be sure to be consistent to make it easier for you to sort responsibility later on.
    3. When assigning timelines, we suggest including the end date (when you expect the project to be complete) rather than the start date, though whatever you choose, be sure to be consistent. Make use of the notes column to record anything that you think any other readers will need to be aware of in the future, or details that may not be possible to commit to memory.

    Cloud Vision Workbook

    Step 4.2

    Finalize cloud decision framework

    Activities

    4.2.1 Build a delivery model rubric

    4.2.2 Build a service model rubric

    4.2.3 Build a support model rubric

    Bridge the gap and create the vision

    Review and assign work items

    Finalize cloud decision framework

    Create cloud vision

    This step involves the following participants:

    • Core working group

    Outcomes of this step

    • Cloud decision framework

    4.2.1 Build a delivery model rubric

    1 hour

    Input

    • List of cloud initiatives

    Output

    • Initiatives assigned by responsibility and timeline

    Materials

    Participants

    • Core working group
    1. Now that we have a good understanding of the cloud’s key characteristics, the relative suitability of different workloads for the cloud, and a good understanding of some of the risks and roadblocks that may need to be overcome if a cloud transition is to take place, it is time to formalize a delivery model rubric. Start by listing the delivery models on a white board vertically – public, private, hybrid, and multi-cloud. Include a community cloud option as well if that is feasible for you. Strike any models that do not figure into your vision.
    2. Create a table style rubric for each delivery model. Confer with the working group to determine what characteristics best define workloads suitable for each model. If you have a hybrid cloud option, you may consider workloads that are highly dynamic; a private cloud hosted on-premises may be more suitable for workloads that have extensive regulatory requirements.
    3. Once the table is complete, include it in the Cloud Vision Executive Presentation.

    Cloud Vision Executive Presentation

    Vision for the cloud future state (example)

    Delivery model Decision criteria
    Public cloud
    • Public cloud is the primary destination for all workloads as the goal is to eliminate facilities and infrastructure management
    • Offers features, broad accessibility, and managed updates along with provider-managed facilities and hardware
    Legacy datacenter
    • Any workload that is not a good fit for the public cloud
    • Dependency (like a USB key for license validation)
    • Performance requirements (e.g. workloads highly sensitive to transaction thresholds)
    • Local infrastructure components (firewall, switches, NVR)

    Summary statement: Everything must go! Public cloud is a top priority. Anything that is not compatible (for whatever reason) with a public cloud deployment will be retained in a premises-based server closet (downgraded from a full datacenter). The private cloud does not align with the overall organizational vision, nor does a hybrid solution.

    4.2.2 Build a service model rubric

    1 hour

    Input

    • Output of workload assessments
    • Output of risk and mitigation exercise

    Output

    • Service model rubric

    Materials

    • Whiteboard
    • Cloud Vision Executive Presentation

    Participants

    • Core working group
    1. This next activity is like the delivery model activity, but covers the relevant cloud service models. On a whiteboard, make a vertical list of the cloud service models (SaaS, PaaS, IaaS, etc.) that will be considered for workloads. If you have an order of preference, place your most preferred at the top, your least preferred at the bottom.
    2. Describe the circumstances under which you would select each service model. Do your best to focus on differentiators. If a decision criterion appears for multiple service models, consider refining or excluding it. (For additional information, check out Info-Tech’s Reimagine IT Operations for a Cloud-First World blueprint.)
    3. Create a summary statement to capture your overall service model position. See the next slide for an example. Note: this can be incorporated into your cloud vision statement, so be sure that it reflects your genuine cloud preferences.
    4. Record the results in the Cloud Vision Executive Presentation.

    Cloud Vision Executive Presentation

    Vision for the cloud future state (example)

    Service model Decision criteria
    SaaS

    SaaS first; opt for SaaS when:

    • A SaaS option exists that meets all key business requirements
    • There is a strong desire to have someone else (the vendor) manage infrastructure components/the platform
    • Not particularly sensitive to performance thresholds
    • The goal is to transition management of the workload outside of IT
    • SaaS is the only feasible way to consume the desired service
    PaaS
    • Highly customized service/workload – SaaS not feasible
    • Still preferable to offload as much management as possible to third parties
    • Customization required, but not at the platform level
    • The workload is built using a standard framework
    • We have the time/resources to replatform
    IaaS
    • Service needs to be lifted and shifted out of the datacenter quickly
    • Customization is required at the platform level/there is value in managing components
    • There is no need to manage facilities
    • Performance is not impacted by hosting the workload offsite
    • There is value in right-sizing the workload over time
    On-premises Anything that does not fit in the cloud for performance or other reasons (e.g. licensing key)

    Summary statement: SaaS will be the primary service model. All workloads will migrate to the public cloud where possible. Anything that cannot be migrated to SaaS will be migrated to PaaS. IaaS is a transitory step.

    4.2.3 Build a support model rubric

    1 hour

    Input

    • Results of the cloud workload assessments

    Output

    • Support model rubric

    Materials

    • Whiteboard
    • Cloud Vision Executive Presentation

    Participants

    • Core working group
    1. The final rubric covered here is that for the support model. Where will you procure the skills necessary to ensure the vision’s proper execution? Much like the other rubric activities, write the three support models vertically (in order of preference, if you have one) on a whiteboard.
    2. Next to each model, describe the circumstances under which you would select each support model. Focus on the dimensions: the duration of the engagement, specialization required, and flexibility required. If you have existing rules/practices around hiring consultants/MSPs, consider those as well.
    3. Once you have a good list of decision criteria, form a summary statement. This should encapsulate your position on support models and should mention any notable criteria that will contribute to most decisions.
    4. Record the results in the Cloud Vision Executive Presentation.

    Cloud Vision Executive Presentation

    Vision for the cloud future state (example)

    Support model Decision criteria
    Internal IT

    The primary support model will be internal IT going forward

    • Chosen where the primary work required is administrative
    • Where existing staff can manage the service in the cloud easily and effectively
    • Where the chosen solution fits the SaaS service model
    Consultant
    • Where the work required is time-bound (e.g. a migration/refactoring exercise)
    • Where the skills do not exist in house, and where the skills cannot easily be procured (specific technical expertise required in areas of the cloud unfamiliar to staff)
    • Where opportunities for staff to learn from consultant SMEs are valuable
    • Where ongoing management and maintenance can be handled in house
    MSP
    • Where an ongoing relationship is valued
    • Where ongoing administration and maintenance are disproportionately burdensome on IT staff (or where this administration and maintenance is likely to be burdensome)
    • Where the managed services model has already been proven out
    • Where specific expertise in an area of technology is required but this does not rise to the need to hire an FTE (e.g. telephony)

    Summary statement: Most workloads will be managed in house. A consultant will be employed to facilitate the transition to micro-services in a cloud container environment, but this will be transitioned to in-house staff. An MSP will continue to manage backups and telephony.

    Step 4.3

    Create cloud vision

    Activities

    4.3.1 Create a cloud vision statement

    4.3.2 Map cloud workloads

    4.3.3 Complete the Cloud Vision Presentation

    Review and assign work items

    Finalize cloud decision framework

    Create cloud vision

    This step involves the following participants:

    • Core working group
    • IT management

    Outcomes of this step

    Completed Cloud Vision Executive Presentation

    4.3.1 Create a cloud vision statement

    1 hour

    Input

    • List of cloud initiatives

    Output

    • Initiatives assigned by responsibility and timeline

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    1. Now that you know what service models are appropriate, it’s time to summarize your cloud vision in a succinct, consumable way. A good vision statement should have three components:
      • Scope: Which parts of the organization will the strategy impact?
      • Goal: What is the strategy intended to accomplish?
      • Key differentiator: What makes the new strategy special?
    2. On a whiteboard, make a chart with three columns (one column for each of the features of a good mission statement). Have the group generate a list of words to describe each of the categories. Ideally, the group will produce multiple answers for each category.
    3. Once you’ve gathered a few different responses for each category, have the team put their heads down and generate pithy mission statements that capture the sentiments underlying each category.
    4. Have participants read their vision statements in front of the group. Use the rest of the session to produce a final statement. Record the results in the Cloud Strategy Executive Presentation.

    Example vision statement outputs

    “IT at ACME Corp. hereby commits to providing clients and end users with an unparalleled, productivity-enabling technology experience, leveraging, insofar as it is possible and practical, cloud-based services.”

    “At ACME Corp. our employees and customers are our first priority. Using new, agile cloud services, IT is devoted to eliminating inefficiency, providing cutting-edge solutions for a fast-paced world, and making a positive difference in the lives of our colleagues and the people we serve.”

    As a global leader in technology, ACME Corp. is committed to taking full advantage of new cloud services, looking first to agile cloud options to optimize internal processes wherever efficiency gaps exist. Improved efficiency will allow associates to spend more time on ACME’s core mission: providing an unrivalled customer experience.”

    Scope

    Goal

    Key differentiator

    4.3.2 Map cloud workloads

    1 hour

    Input

    • List of workloads
    • List of acceptable service models
    • List of acceptable migration paths

    Output

    • Workloads mapped by service model/migration path

    Materials

    • Whiteboard
    • Sticky notes

    Participants

    • Core working group
    1. Now that you have defined your overall cloud vision as well as your service model options, consider aligning your service model preferences with your migration path preferences. Draw a table with your expected migration strategies across the top (retain, retire, rehost, replatform, refactor, repurchase, or some of these) and your expected service models across the side.
    2. On individual sticky notes, write a list of workloads in your environment. In a smaller environment, this list can be exhaustive. Otherwise take advantage of the list you created as part of phase 1 along with any additional workloads that warrant discussion.
    3. As a group, go through the list, placing the sticky notes first in the appropriate row based on their characteristics and the decision criteria that have already been defined, and then in the appropriate column based on the appropriate migration path. (See the next slide for an example of what this looks like.)
    4. Record the results in the Cloud Vision Executive Presentation. Note: not every cell will be filled; some migration path/service model combinations are impossible or otherwise undesirable.

    Cloud Vision Executive Presentation

    Example cloud workload map

    Repurchase Replatform Rehost Retain
    SaaS

    Office suite

    AD

    PaaS SQL Database
    IaaS File Storage DR environment
    Other

    CCTV

    Door access

    4.3.3 Complete the Cloud Vision Presentation

    1 hour

    Input

    • List of cloud initiatives

    Output

    • Initiatives assigned by responsibility and timeline

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    1. Open the Cloud Vision Executive Presentation to the second slide and review the templated executive brief. This comprises several sections (see the next slide). Populate each one:
      • Summary of the exercise
      • The cloud vision statement
      • Key cloud drivers
      • Risks and roadblocks
      • Top initiatives and next steps
    2. Review the remainder of the presentation. Be sure to elaborate on any significant initiatives and changes (where applicable) and to delete any slides that you no longer require.

    Cloud Vision Workbook

    Sample cloud vision executive summary

    • From [date to date], a cross-functional group representing IT and its constituents met to discuss the cloud.
    • Over the course of the week, the group identified drivers for cloud computing and developed a shared vision, evaluated several workloads through an assessment framework, identified risks, roadblocks, and mitigations, and finally generated initiatives and next steps.
    • From the process, the group produced a summary and a cloud suitability assessment framework that can be applied at the level of the workload.

    Cloud Vision Statement

    [Organization] will leverage public cloud solutions and retire existing datacenter and colocation facilities. This transition will simplify infrastructure administration, support, and security, while modernizing legacy infrastructure and reducing the need for additional capital expenditure.

    Cloud Drivers Retire the datacenter Do more valuable work
    Right-size the environment Reduce CapEx
    Facilitate ease of mgmt. Work from anywhere
    Reduce capital expenditure Take advantage of elasticity
    Performance and availability Governance Risks and roadblocks
    Security Rationalization
    Cost Skills
    Migration Remaining premises resources
    BC, backup, and DR Control

    Initiatives and next steps

    • Close the datacenter and colocation site in favor of a SaaS-first cloud approach.
    • Some workloads will migrate to infrastructure-as-a-service in the short term with the assistance of third-party consultants.

    Document your cloud strategy

    You did it!

    Congratulations! If you’ve made it this far, you’ve successfully articulated a cloud vision, assessed workloads, developed an understanding (shared with your team and stakeholders) of cloud concepts, and mitigated risks and roadblocks that you may encounter along your cloud journey. From this exercise, you should understand your mission and vision, how your cloud plans will interact with any other relevant strategic plans, and what successful execution looks like, as well as developing a good understanding of overall guiding principles. These are several components of your overall strategy, but they do not comprise the strategy in its entirety.

    How do you fix this?

    First, validate the results of the vision exercise with your stakeholders. Socialize it and collect feedback. Make changes where you think changes should be made. This will become a key foundational piece. The next step is to formally document your cloud strategy. This is a separate project and is covered in the Info-Tech blueprint Document Your Cloud Strategy.

    The vision exercise tells you where you want to go and offers some clues as to how to get there. The formal strategy exercise is a formal documentation of the target state, but also captures in detail the steps you’ll need to take, the processes you’ll need to refine, and the people you’ll need to hire.

    A cloud strategy should comprise your organizational stance on how the cloud will change your approach to people and human resources, technology, and governance. Once you are confident that you can make and enforce decisions in these areas, you should consider moving on to Document Your Cloud Strategy. This blueprint, Define Your Cloud Vision, often serves as a prerequisite for the strategy documentation conversation(s).

    Appendix

    Summary of Accomplishment

    Additional Support

    Research Contributors

    Related Info-Tech Research

    Vendor Resources

    Bibliography

    Summary of Accomplishment

    Problem Solved

    You have now documented what you want from the cloud, what you mean when you say “cloud,” and some preliminary steps you can take to make your vision a reality.

    You now have at your disposal a framework for identifying and evaluating candidates for their cloud suitability, as well as a series of techniques for generating risks and mitigations associated with your cloud journey. The next step is to formalize your cloud strategy using the takeaways from this exercise. You’re well on your way to a completed cloud strategy!

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Generate drivers for cloud adoption

    Work with stakeholders to understand the expected benefits of the cloud migration and how these drivers will impact the overall vision.

    Conduct workload assessments

    Assess your individual cloud workloads for their suitability as candidates for the cloud migration.

    Bibliography

    “2021 State of the Cloud Report.” Flexera, 2021. Web.

    “2021 State of Upskilling Report.” Pluralsight, 2021. Web.

    “AWS Snowmobile.” Amazon Web Services, n.d. Web.

    “Azure products.” Microsoft, n.d. Web.

    “Azure Migrate Documentation.” Microsoft, n.d. Web.

    Bell, Harold. “Multi-Cloud vs. Hybrid Cloud: What’s the Difference?” Nutanix, 2019. Web.

    “Cloud Products.” Amazon Web Services, n.d. Web.

    “COBIT 2019 Framework: Introduction and Methodology.” ISACA, 2019. Web.

    Edmead, Mark T. “Using COBIT 2019 to Plan and Execute an Organization’s Transformation Strategy.” ISACA, 2020. Web.

    Flitter, Emily, and Karen Weise. “Capital One Data Breach Compromises Data of Over 100 Million.” The New York Times, 29 July 2019. Web.

    Gillis, Alexander S. “Cloud Security Posture Management (CSPM).” TechTarget, 2021. Web.

    “’How to Cloud’ with Capital One.” Amazon Web Services, n.d. Web.

    “IBM Closes Landmark Acquisition of Red Hat for $34 Billion; Defines Open, Hybrid Cloud Future.” Red Hat, 9 July 2019. Web.

    Mell, Peter, and Timothy Grance. “The NIST Definition of Cloud Computing.” National Institute of Standards and Technology, Sept. 2011. Web.

    Ng, Alfred. “Amazon Tells Senators it Isn't to Blame for Capital One Breach.” CNET, 2019. Web.

    Orban, Stephen. “6 Strategies for Migrating Applications to the Cloud.” Amazon Web Services, 2016. Web.

    Sullivan, Dan. “Cloud Access Security Broker (CASB).” TechTarget, 2021. Web.

    “What Is Secure Access Service Edge (SASE)?” Cisco, n.d. Web.

    2020 Applications Priorities Report

    • Buy Link or Shortcode: {j2store}159|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Optimization
    • Parent Category Link: /optimization
    • Although IT may have time to look at trends, it does not have the capacity to analyze the trends and turn them into initiatives.
    • IT does not have time to parse trends for initiatives that are relevant to them.
    • The business complains that if IT does not pursue trends the organization will get left behind by cutting-edge competitors. At the same time, when IT pursues trends, the business feels that IT is unable to deal with the basic issues.

    Our Advice

    Critical Insight

    • Take advantage of a trend by first understanding why it is happening and how it is actionable. Build momentum now. Breaking a trend into bite-sized initiatives and building them into your IT foundations enables the organization to maintain pace with competitors and make the technological leap.
    • The concepts of shadow IT and governance are critical. As it becomes easier for the business to purchase its own applications, it will be essential for IT to embrace this form of user empowerment. With a diminished focus on vendor selection, IT will drive the most value by directing its energy toward data and integration governance.

    Impact and Result

    • Determine how to explore, adopt, and optimize the technology and practice initiatives in this report by understanding which core objective(s) each initiative serves:
      • Optimize the effectiveness of the IT organization.
      • Boost the productivity of the enterprise.
      • Enable business growth through technology.

    2020 Applications Priorities Report Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief for a summary of the priorities and themes that an IT organization should focus on this year.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Read the 2020 Applications Priorities Report

    Use Info-Tech's 2020 Applications Priorities Report to learn about the five initiatives that IT should prioritize for the coming year.

    • 2020 Applications Priorities Report Storyboard
    [infographic]

    Endpoint Management Selection Guide

    • Buy Link or Shortcode: {j2store}65|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications

    Endpoint management solutions are becoming an essential solution: Deploying the right devices and applications to the right user and the need for zero-touch provisioning are indispensable parts of a holistic strategy for improving customer experience. However, selecting the right-sized platform that aligns with your requirements is a big challenge.

    Following improvements in end-user computation strategies, selection of the right endpoint management solution is a crucial next step in delivering a concrete business value.

    Our Advice

    Critical Insight

    Investigate vendors’ roadmaps to figure out which of the candidate platforms can fulfill your long-term requirements, without any unnecessary investment in features that are not currently useful for you. Make sure you don’t purchase capabilities that you will never use.

    Impact and Result

    • Determine what you require from an endpoint management solution.
    • Review the market space and product offerings, and compare capabilities of key players.
    • Create a use case and use top-level requirements to determine use cases and shortlist vendors.
    • Conduct a formal process for interviewing vendors using Info-Tech’s templates to select the best platform for your requirements.

    Endpoint Management Selection Guide Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Endpoint Management Selection Guide Storyboard – A structured guide to walk you through the endpoint management market.

    This storyboard will help you understand endpoint management solution core capabilities and prepare you to select an appropriate tool.

    • Endpoint Management Selection Guide Storyboard

    2. UEM Requirements Workbook – A template to help you build your first draft of requirements for UEM selection.

    Use this spreadsheet to brainstorm use cases and features to satisfy your requirements. This document will be help you score solutions and narrow down the field to a list of candidates who can meet your requirements.

    • UEM Requirements Workbook
    [infographic]

    Further reading

    Endpoint Management Selection Guide

    Streamline your organizational approach to selecting a right-sized endpoint management platform.

    Endpoint Management Selection Guide

    Streamline your organizational approach toward the selection of a right-sized endpoint management platform.

    EXECUTIVE BRIEF

    Analyst Perspective

    Revolutionize your endpoint management with a proper tool selection approach

    The endpoint management market has an ever-expanding and highly competitive landscape. The market has undergone tremendous evolution in past years, from device management to application deployments and security management. The COVID-19 pandemic forced organizations to service employees and end users remotely while making sure corporate data is safe and user satisfaction doesn't get negatively affected. In the meantime, vendors were forced to leverage technology enhancements to satisfy such requirements.

    That being said, endpoint management solutions have become more complex, with many options to manage operating systems and run applications for relevant user groups. With the work-from-anywhere model, customer support is even more important than before, as a remote workforce may face more issues than before, or enterprises may want to ensure more compliance with policies.

    Moreover, the market has become more complex, with lots of added capabilities. Some features may not be beneficial to corporations, and with a poor market validation, businesses may end up paying for some capabilities that are not useful.

    In this blueprint, we help you quickly define your requirements for endpoint management and narrow down a list to find the solutions that fulfill your use cases.

    An image of Mahmoud Ramin, PhD

    Mahmoud Ramin, PhD
    Senior Research Analyst, Infrastructure and Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Endpoint management solutions are becoming increasingly essential – deploying the right devices and applications to the right users and zero-touch provisioning are indispensable parts of a holistic strategy for improving customers' experience. However, selecting the right-sized platform that aligns with your requirements is a big challenge.

    Following improvements in end-user computation strategies, selection of the right endpoint management solution is a crucial next step in delivering concrete business value.

    Common Obstacles

    Despite the importance of selecting the right endpoint management platform, many organizations struggle to define an approach to picking the most appropriate vendor and rolling out the solution in an effective and cost-efficient manner. There are many options available, which can cause business and IT leaders to feel lost.

    The endpoint management market is evolving quickly, making the selection process tedious. On top of that, IT has a hard time defining their needs and aligning solution features with their requirements.

    Info-Tech's Approach

    Determine what you require from an endpoint management solution.

    Review the market space and product offerings, and compare the capabilities of key players.

    Create a use case – use top-level requirements to determine use cases and short-list vendors.

    Conduct a formal process for interviewing vendors, using Info-Tech's templates to select the best platform for your requirements.

    Info-Tech Insight

    Investigate vendors' roadmaps to figure out which of the candidate platforms can fulfill your long-term requirements without any unnecessary investment in features that are not currently useful for you. Make sure you don't purchase capabilities that you will never use.

    What are endpoint management platforms?

    Our definition: Endpoint management solutions are platforms that enable IT with appropriate provisioning, security, monitoring, and updating endpoints to ensure that they are in good health. Typical examples of endpoints are laptops, computers, wearable devices, tablets, smart phones, servers, and the Internet of Things (IoT).

    First, understand differences between mobile management solutions

    • Endpoint management solutions monitor and control the status of endpoints. They help IT manage and control their environment and provide top-notch customer service.
    • These solutions ensure a seamless and efficient problem management, software updates and remediations in a secure environment.
    • Endpoint management solutions have evolved very quickly to satisfy IT and user needs:
    • Mobile Device Management (MDM) helps with controlling features of a device.
    • Enterprise Mobile Management (EMM) controls everything in a device.
    • Unified Endpoint Management (UEM) manages all endpoints.

    Endpoint management includes:

    • Device management
    • Device configuration
    • Device monitoring
    • Device security

    Info-Tech Insight

    As endpoint management encompasses a broad range of solution categories including MDM, EMM, and UEM, look for your real requirements. Don't pay for something that you won't end up using.

    As UEM covers all of MDM and EMM capabilities, we overview market trends of UEM in this blueprint to give you an overall view of market in this space.

    Your challenge: Endpoint management has evolved significantly over the past few years, which makes software selection overwhelming

    An mage showing endpoint management visualzed as positions on an iceberg. at the top is UEM, at the midpoint above the waterline is Enterprise Mobile Management, and below the water is Mobile Device Management.

    Additional challenges occur in securing endpoints

    A rise in the number of attacks on cloud services creates a need to leverage endpoint management solutions

    MarketsandMarkets predicted that global cloud infrastructure services would increase from US$73 billion in 2019 to US$166.6 billion in 2024 (2019).

    A study by the Ponemon Institute showed that 68% of respondents believe that security attacks increased over the past 12 months (2020).

    The study reveals that over half of IT security professionals who participated in the survey believe that organizations are not very efficient in securing their endpoints, mainly because they're not efficient in detecting attacks.

    IT professionals would like to link endpoint management and security platforms to unify visibility and control, to determine potential risks to endpoints, and to manage them in a single solution.

    Businesses will continue to be compromised by the vulnerabilities of cloud services, which pose a challenge to organizations trying to maintain control of their data.

    Trends in endpoint management have been undergoing a tremendous change

    In 2020, about 5.2 million users subscribed to mobile services, and smartphones accounted for 65% of connections. This will increase to 80% by 2025.
    Source: Fortune Business Insights, 2021

    Info-Tech's methodology for selecting a right-sized endpoint management platform

    1. Understand Core Features and Build Your Use Case

    2. Discover the Endpoint Management Market Space and Select the Right Vendor

    Phase Steps

    1. Define endpoint management platforms
    2. Explore endpoint management trends
    3. Classify table stakes & differentiating capabilities
    4. Streamline the requirements elicitation process for a new endpoint management platform
    1. Discover key players across the vendor landscape
    2. Engage the shortlist and select finalists
    3. Prepare for implementation

    Phase Outcomes

    1. Consensus on scope of endpoint management and key endpoint management platform capabilities
    2. Top-level use cases and requirements
    1. Overview of shortlisted vendors
    2. Prioritized list of UEM features

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2

    Call #1: Understand what an endpoint management platform is and learn how it evolved. Discuss core capabilities and key trends.
    Call #2: Build a use case and define features to fulfill the use case.

    Call #3: Define your core endpoint management platform requirements.
    Call #4: Evaluate the endpoint management platform vendor landscape and shortlist viable options.
    Review implementation considerations.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    The endpoint management purchase process should be broken into segments:

    1. Endpoint management vendor shortlisting with this buyer's guide
    2. Structured approach to selection
    3. Contract review

    Info-Tech's approach

    The Info-Tech difference:
    Analyze needs

    Evaluate solutions

    Determine where you need to improve the tools and processes used to support the company.

    Determine the best fit for your needs by scoring against features.

    Assess existing solution

    Features

    Determine if your solution can be upgraded or easily updated to meet your needs.

    Determine which features will be key to your success

    Create a business case for change

    Use Cases

    A two-part business case will focus on a need to change and use cases and requirements to bring stakeholders onboard.

    Create use cases to ensure your needs are met as you evaluate features

    Improve existing

    High-Level Requirements

    Work with Info-Tech's analysts to determine next steps to improve your process and make better use of the features you have available.

    Use the high-level requirements to determine use cases and shortlist vendors

    Complementary research:

    Create a quick business case and requirements document to align stakeholders to your vision with Info-Tech's Rapid Application Selection Framework.
    See what your peers are saying about these vendors at SoftwareReviews.com.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Phase 1

    Understand core features and build your business case

    Phase 1

    Phase 2

    Define endpoint management platforms

    Explore endpoint management trends

    Classify table stakes & differentiating capabilities

    Streamline the requirements elicitation process for a new endpoint management platform

    Discover key players across the vendor landscape

    Engage the shortlist and select finalist

    Prepare for implementation

    This phase will walk you through the following activity:

    Define use cases and core features for meeting business and technical goals

    This phase involves the following participants:

    • CIO
    • IT manager
    • Infrastructure & Applications directors
    Mobile Device Management

    Enterprise Mobile Management

    MDM applies security over corporate-owned devices.

    What is MDM and what can you do with it?

    1. MDM helps manage and control corporate owned devices.
    2. You can enforce company policies, track, monitor, and lock device remotely by an MDM.
    3. MDM helps with remote wiping of the device when it is lost or stolen.
    4. You can avoid unsecure Wi-Fi connections via MDM.

    EMM solutions solve the restrictions arose with BYOD (Bring Your Own Device) and COPE (Corporate Owned, Personally Enabled) provisioning models.

    • IT needs to secure corporate-owned data without compromising personal and private data. MDM cannot fulfill this requirement. This led to the development of EMM solutions.
    • EMM tools allow you to manage multiple device platforms through MDM protocols. These tools enforce security settings, allow you to push apps to managed devices, and monitor patch compliance through reporting.

    MDM solutions function at the level of corporate devices. Something else was needed to enable personal device management.

    Major components of EMM solutions

    Mobile Application Management (MAM)

    Allows organizations to control individual applications and their associated data. It restricts malicious apps and enables in-depth application management, configuration, and removal.

    Containerization

    Enables separation of work-related data from private data. It provides encrypted containers on personal devices to separate the data, providing security on personal devices while maintaining users' personal data.

    Mobile Content Management (MCM)

    Helps remote distribution, control, management, and access to corporate data.

    Mobile Security Management (MSM)

    Provides application and data security on devices. It enables application analysis and auditing. IT can use MSM to provide strong passwords to applications, restrict unwanted applications, and protect devices from unsecure websites by blacklisting them.

    Mobile Expense Management (MEM)

    Enables mobile data communication expenses auditing. It can also set data limits and restrict network connections on devices.

    Identity Management

    Sets role-based access to corporate data. It also controls how different roles can use data, improving application and data security. Multifactor authentication can be enforced through the identity management featured of an EMM solution.

    Unified endpoint management: Control all endpoints in a single pane of glass

    IT admins used to provide customer service such as installation, upgrades, patches, and account administration via desktop support. IT support is not on physical assistance over end users' desktops anymore.

    The rise of BYOD enhanced the need to be able to control sensitive data outside corporate network connection on all endpoints, which was beyond the capability of MDM and EMM solutions.

    • It's now almost impossible for IT to be everywhere to support customers.
    • This created a need to conduct tasks simultaneously from one single place.
    • UEM enables IT to run, manage, and control endpoints from one place, while ensuring that device health and security remain uncompromised.
    • UEM combines features of MDM and EMM while extending EMM's capabilities to all endpoints, including computers, laptops, tablets, phones, printers, wearables, and IoT.

    Info-Tech Insight

    Organizations once needed to worry about company connectivity assets such as computers and laptops. To manage them, traditional client management tools like Microsoft Configuration Manager would be enough.

    With the increase in the work-from-anywhere model, it is very hard to control, manage, and monitor devices that are not connected to a VPN. UEM solutions enable IT to tackle this challenge and have full visibility into and management of any device.

    UEM platforms help with saving costs and increasing efficiency

    UEM helps corporates save on their investments as it consolidates use-case management in a single console. Businesses don't need to invest in different device and application management solutions.

    From the employee perspective, UEM enables them to work on their own devices while enforcing security on their personal data.

    • Security and privacy are very important criteria for organizations. With the rapid growth of the work-from-anywhere model, corporate security is a huge concern for companies.
    • Working from home has forced companies to invest a lot in data security, which has led to high UEM demand. UEM solutions streamline security management by consolidating device management in a single platform.
    • With the fourth-generation industrial revolution, we're experiencing a significant rise in the use of IoT devices. UEM solutions are very critical for managing, configuring, and securing these devices.
    • There will be a huge increase in cyber threats due to automation, IoT, and cloud services. The pandemic has sped up the adoption of such services, forcing businesses to rethink their enterprise mobility strategies. They are now more cautious about security risks and remediations. Businesses need UEM to simplify device management on multiple endpoints.
    • With UEM, IT environment management gets more granular, while giving IT better visibility on devices and applications.

    UEM streamlines mundane admin tasks and simplifies user issues.

    Even with a COPE or COBO provisioning model, without any IT intervention, users can decide on when to install relevant updates. It also may lead to shadow IT.

    Endpoint management, and UEM more specifically, enables IT to enforce administration over user devices, whether they are corporate or personally owned. This is enabled without interfering with private/personal data.

    Where it's going: The future state of UEM

    Despite the fast evolution of the UEM market, many organizations do not move as fast as technological capabilities. Although over half of all organizations have at least one UEM solution, they may not have a good strategy or policies to maximize the value of technology (Tech Orchard, 2022). As opposed to such organizations, there are others that use UEM to transform their endpoint management strategy and move service management to the next level. That integration between endpoint management and service management is a developing trend (Ivanti, 2021).

    • SaaS tools like Office 365 are built to be used on multiple devices, including multiple computers. Further, the pandemic saw 47% of organizations significantly increase their use of BYOD (Cybersecurity Insiders, 2021).
    • Over 2022, 78% of people worked remotely for at least some amount of time during the week (Tech Orchard, 2022).
    • 84% of organizations believe that cybersecurity threat alarms are becoming very overwhelming, and almost half of companies believe that the best way to tackle this is through consolidating platforms so that everything will be visible and manageable through a single pane of glass (Cybersecurity Insiders, 2022).
    • The UEM market was worth $3.39 billion in 2020. It is expected to reach $53.65 billion by 2030, with an annual growth rate of 31.7% (Datamation, 2022). This demonstrates how dependent IT is becoming on endpoint management solutions.

    An image of a donut chart showing the current state of UEM Strategy.

    Only 27% of organizations have "fully deployed" UEM "with easy management across all endpoints"
    Source: IT Pro Today, 2018.

    Endpoint Management Key Trends

    • Commoditization of endpoint management features. Although their focus is the same, some UEM solutions have unique features.
    • New endpoint management paradigms have emerged. Endpoint management has evolved from client management tools (CMT) and MDM into UEM, also known as "modern management" (Ivanti, 2022).
    • One pane of glass for the entire end-user experience. Endpoint management vendors are integrating their solution into their ITSM, ITOM, digital workspace, and security products.
    • AI-powered insights. UEM tools collect data on endpoints and user behavior. Vendors are using their data to differentiate themselves: Products offer threat reports, automated compliance workflows, and user experience insights. The UEM market is ultimately working toward autonomous endpoint management (Microsoft, 2022).
    • Web apps and cloud storage are the new normal. Less data is stored locally. Fewer apps need to be patched on the device. Apps can be accessed on different devices more easily. However, data can more easily be accessed on BYOD and on new operating systems like Chrome OS.
    • Lighter device provisioning tools. Instead of managing thick images, UEM tools use lighter provisioning packages. Once set up, Autopilot and UEM device enrollment should take less time to manage than thick images.
    • UEM controls built around SaaS. Web apps and the cloud allow access from any device, even unmanaged BYOD. UEM tools allow IT to apply the right level of control for the situation – mobile application management, mobile content management, or mobile device management.
    • Work-from-anywhere and 5G result in more devices outside of your firewalls. Cloud-based management tools are not limited by your VPN connection and can scale up more easily than traditional, on-prem tools.

    Understand endpoint management table stakes features

    Determine high-level use cases to help you narrow down to specific features

    Support the organization's operating systems:
    Many UEM vendors support the most dominant operating systems, Windows and Mac; however, they are usually stronger in one particular OS than the other. For instance, Intune supports both Windows and Mac, although there are some drawbacks with MacOS management by Intune. Conversely, Jamf is mainly for MacOS and iOS management. Enterprises look to satisfy their end users' needs. The more UEM vendors support different systems, the more likely enterprises will pick them. Although, as mentioned, in some instances, enterprises may need to select more than one option, depending on their requirements.

    Support BYOD and remote environments:
    With the impact of the pandemic on work model, 60-70% of workforce would like to have more flexibility for working remotely (Ivanti, 2022). BYOD is becoming the default, and SaaS tools like Office 365 are built to be used on multiple devices, including multiple computers. As BYOD can boost productivity (Samsung Insights, 2016), you may be interested in how your prospective UEM solution will enable this capability with remote wipe (corporate wipe capability vs. wiping the whole device), data and device tracking, and user activity auditing.

    Understand endpoint management table stakes features

    Determine high-level use cases to help you narrow down to specific features

    Integration with the enterprise's IT products:
    To get everything in a single platform and to generate better metrics and dashboards, vendors provide integrations with ticketing and monitoring solutions. Many large vendors have strong integrations with multiple ITSM and ITAM platforms to streamline incident management, request management, asset management, and patch management.

    Support security and compliance policies:
    With the significant boost in work-from-anywhere, companies would like to enable endpoint security more than ever. This includes device threat detection, malware detection, anti-phishing, and more. All UEMs provide these, although the big difference between them is how well they enable security and compliance, and how flexible they are when it comes to giving conditional access to certain data.

    Provide a fully automated vs manual deployment:
    Employees want to get their devices faster, IT wants to deploy devices faster, and businesses want to enable employees faster to get them onboard sooner. UEMs have the capability to provide automated and manual deployment. However, the choice of solution depends on enterprise's infrastructure and policies. Full automation of deployment is very applicable for corporate devices, while it may not be a good option for personally owned devices. Define your user groups and provisioning models, and make sure your candidate vendors satisfy requirements.

    Plan a proper UEM selection according to your requirements

    1. Identify IT governance, policy, and process maturity
      Tools cannot compensate for your bad processes. You should improve deploying and provisioning processes before rolling out a UEM. Automation of a bad process only wraps the process in a nicer package – it does not fix the problem.
      Refer to InfoTech's Modernize and Transform Your End-User Computing Strategy for more information on improving endpoint management procedures.
    2. Consider supported operating systems, cloud services, and network infrastructure in your organization
      Most UEMs support all dominant operating systems, but some solutions have stronger capability for managing a certain OS over the other.
    3. Define enterprise security requirements
      Investigate security levels, policies, and requirements to align with the security features you're expecting in a UEM.
    4. Selection and implementation of a UEM depends on use case. Select a vendor that supports your use cases
      Identify use cases specific to your industry.
      For example, UEM use cases in Healthcare:
      • Secure EMR
      • Enforce HIPAA compliance
      • Secure communications
      • Enable shared device deployment

    Activity: Define use cases and core features for meeting business and technical goals

    1-2 hours

    1. Brainstorm with your colleagues to discuss your challenges with endpoint management.
    2. Identify how these challenges are impacting your ability to meet your goals for managing and controlling endpoints.
    3. Define high-level goals you wish to achieve in the first year and in the longer term.
    4. Identify the use cases that will support your overall goals.
    5. Document use cases in the UEM Requirements Workbook.

    Input

    • List of challenges and goals

    Output

    • Use cases to be used for determining requirements

    Materials

    • Whiteboard/flip charts
    • Laptop to record output

    Participants

    • CIO
    • IT manager
    • Infrastructure & Applications directors

    Download the UEM Requirements Workbook

    Phase 2

    Discover the endpoint management market space and select the right vendor

    Phase 1

    Phase 2

    Define endpoint management platforms

    Explore endpoint management trends

    Classify table stakes & differentiating capabilities

    Streamline the requirements elicitation process for a new endpoint management platform

    Discover key players across the vendor landscape

    Engage the shortlist and select finalist

    Prepare for implementation

    This phase will walk you through the following activity:
    Define top-level features for meeting business and technical goals
    This phase involves the following participants:

    • CIO
    • IT manager
    • Infrastructure & Applications directors
    • Project managers

    Elicit and prioritize granular requirements for your endpoint management platform

    Understanding business needs through requirements gathering is the key to defining everything about what is
    being purchased. However, it is an area where people often make critical mistakes.

    Risks of poorly scoped requirements

    • Fail to be comprehensive and miss certain areas of scope.
    • Focus on how the solution should work instead of what it must accomplish.
    • Have multiple levels of confusing and inconsistent detail in the requirements.
    • Drill down all the way to system-level detail.
    • Add unnecessary constraints based on what is done today rather than focusing on what is needed for tomorrow.
    • Omit constraints or preferences that buyers think are "obvious."

    Best practices

    • Get a clear understanding of what the system needs to do and what it is expected to produce.
    • Test against the principle of MECE – requirements should be "mutually exclusive and collectively exhaustive."
    • Explicitly state the obvious and assume nothing.
    • Investigate what is sold on the market and how it is sold. Use language that is consistent with that of the market and focus on key differentiators – not table stakes.
    • Contain the appropriate level of detail – the level should be suitable for procurement and sufficient for differentiating vendors.

    Review Info-Tech's blueprint Improve Requirements Gathering to improve your requirements gathering process.

    Consider the perspective of each stakeholder to ensure functionality needs are met

    Best of breed vs. "good enough" is an important discussion and will feed your success

    Costs can be high when customizing an ill-fitting module or creating workarounds to solve business problems, including loss of functionality, productivity, and credibility.

    • Start with use cases to drive the initial discussion, then determine which features are mandatory and which are nice-to-haves. Mandatory features will help determine high success for critical functionality and identify where "good enough" is an acceptable state.
    • Consider the implications of implementation and all use cases of:
      • Buying an all-in-one solution.
      • Integration of multiple best-of-breed solutions.
      • Customizing features that were not built into a solution.
    • Be prepared to shelve a use case for this solution and look to alternatives for integration where mandatory features cannot meet highly specialized needs that are outside of traditional endpoint management solutions.

    Pros and Cons

    An image showing the pros and cons of building vs buying

    Evaluate software category leaders through vendor rankings and awards

    SoftwareReviews
    A screenshot of softwareReviews Data Quadrant analyis.. A screenshot of softwareReviews Emotonal Fotprint analyis
    • evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.
    • Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.
    • The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.
    • Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Speak with category experts to dive deeper into the vendor landscape

    SoftwareReviews

    • Fact-based reviews of business software from IT professionals.
    • Product and category reports with state-of-the-art data visualization.
    • Top-tier data quality backed by a rigorous quality assurance process.
    • User-experience insight that reveals the intangibles of working with a vendor.

    CLICK HERE to ACCESS

    Comprehensive software reviews
    to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today's technology.
    With the insight of our expert analysts, our members receive unparalleled support in their buying journey.

    Get to Know the Key Players in the Endpoint Management Landscape

    The following slides provide a top-level overview of the popular players you will encounter in the endpoint management shortlisting process in alphabetical order.

    A screenshot showing a series of logos for the companies addressed later in this blueprint. It includes: Ciso; Meraki; Citrix; IBM MaaS360; Ivanti; Jamf|Pro; ManageEngine Endpoint Central; Microsoft Endpoint Manager, and VMWARE.

    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF, and NPS scores are pulled from live data as of January 2023.

    Secure business units and enhance connection by simplifying the digital workplace

    A good option for enterprises that want a single-pane-of-glass UEM that is easy to use, with a modern-looking dashboard, high threat-management capability, and high-quality customer support.

    CISCO Meraki

    Est. 1984 | CA, USA | NASDAQ: CSCO

    8.8

    9.1

    +92

    91%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    This is a Screenshot of CISCO Meraki's dashboard.

    Screenshot of CISCO Meraki's dashboard. Source: Cisco

    Strengths:

    Areas to improve:

    • Cisco Meraki offers granular control over what users can and cannot use.
    • The system is user friendly and intuitive, with a variety of features.
    • The anti-malware capability enhances security.
    • Users are very satisfied with being able to control everything in a single platform.
    • System configuration is easy.
    • Vendor relationship is very high with a rate of 96%.
    • System setup is easy, and users don't need much experience for initial configuration of devices.
    • Users are also mostly satisfied with the platform design.
    • Monitoring within the tool is easy.
    • According to SoftwareReviews' survey report, the primary reason for leaving Cisco Meraki and switching over to another vendor is functionality.
    • Regardless of the top-notch offerings and high-quality features, the product is relatively expensive. The quality and price factors make the solution a better fit for large enterprises. However, SoftwareReviews' scorecard for Cisco Meraki shows that small organizations are the most satisfied compared to the medium and large enterprises, with a net promoter score of 81%.

    Transform work experience and support every endpoint with a unified view to ensure users are productive

    A tool that enables you to access corporate resources on personal devices. It is adaptable to your budget. SoftwareReviews reports that 75% of organizations have received a discount at initial purchase or renewal, which makes it a good candidate if looking for a negotiable option.

    Citrix Endpoint Management

    Est. 1989 | TX, USA | Private

    7.9

    8.0

    8.0

    83%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of Citrix Endpoint Management's dashboard.

    Screenshot of Citrix Endpoint Management's dashboard. Source: Citrix

    Strengths:

    Areas to improve:

    • Citrix Endpoint Management is a cloud-centric, easy-to-use UEM with an upgradable interface.
    • The solution simplifies endpoint management and provides real-time visibility and notifications.
    • Citrix allows deployments on different operating systems to meet organizations' infrastructure requirements.
    • The vendor offers different licenses and pricing models, allowing businesses of different sizes to use the tool based on their budgets and requirements.
    • Some users believe that integration with external applications should be improved.
    • Deployment is not very intuitive, making implementation process challenging.
    • User may experience some lagging while opening applications on Citrix. Application is even a bit slower when using a mobile device.

    Scale remote users, enable BYOD, and drive a zero-trust strategy with IBM's modern UEM solution

    A perfect option to boost cybersecurity. Remote administration and installation are made very easy and intuitive on the platform. It is very user friendly, making implementation straightforward. It comes with four licensing options: Essential, Deluxe, Premier, and Enterprise. Check IBM's website for information on pricing and offerings.

    IBM MaaS360

    Est. 1911 | NY, USA | NYSE: IBM

    7.7

    8.4

    +86

    76%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of IBM MaaS360's dashboard.

    Screenshot of IBM MaaS360's dashboard. Source: IBM

    Strengths:

    Areas to improve:

    • IBM MaaS360 is easy to install and implement.
    • It has different pricing models to fit enterprises' needs.
    • MaaS360 is compatible with different operating systems.
    • Security management is one of the strongest features, making the tool perfect for organizations that want to improve cybersecurity.
    • Vendor support is very effective, and users find knowledge articles very helpful.
    • It has a very intuitive dashboard.
    • The tool can control organizational data, allowing you to apply BYOD policy.
    • AI Advisor with Watson provides AI-driven reporting and insights.
    • Working with iOS may not be as intuitive as other operating systems.
    • Adding or removing users in a user group is not very straightforward.
    • Some capabilities are limited to particular Android or iOS devices.
    • Deploying application packages may be a bit difficult.
    • Hardware deployment may need some manual work and is not fully automated.

    Get complete device visibility from asset discovery to lifecycle management and remediation

    A powerful tool for patch management with a great user interface. You can automate patching and improve cybersecurity, while having complete visibility into devices. According to SoftwareReviews, 100% of survey participants plan to renew their contract with Ivanti.

    Ivanti Neurons

    Est. 1985 | CA, USA | Private

    8.0

    8.0

    +81

    83%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of Ivanti Neurons UEM's dashboard.

    Screenshot of Ivanti Neurons UEM's dashboard. Source: Ivanti

    Strengths:

    Areas to improve:

    • The tool is intuitive and user friendly.
    • It's a powerful security management platform, supporting multiple operating systems.
    • Ivanti Neurons is very strong in patch management and inventory management. It helps a seamless application deployment.
    • Users can install their applications via Ivanti's portal.
    • The user interface is very powerful and easy to use.
    • AI-augmented process management automates protocols, streamlining device management and application updates.
    • Vendor is very efficient in training and provides free webinars.
    • Data integration is very easy. According to SoftwareReviews, it had a satisfaction score for ease of data integration of 86%, which makes Ivanti the top solution for this capability.
    • Data analytics is powerful but complicated.
    • Setup is easy for some teams but not as easy for others, which may cause delays for implementation.
    • Software monitoring is not as good as other competitors.

    Improve your end-user productivity and transform enterprise Apple devices

    An Apple-focused UEM with a great interface. Jamf can manage and control macOS and iOS, and it is one of the best options for Apple products, according to users' sentiments. However, it may not be a one-stop solution if you want to manage non-Apple products as well. In this case, you can use Jamf in addition to another UEM. Jamf has some integrations with Microsoft, but it may not be sufficient if you want to fully manage Windows endpoints.

    Jamf PRO

    Est. 2002 | MN, USA | NASDAQ: JAMF

    8.8

    8.7

    +87

    95%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of Jamf PRO's dashboard.

    Screenshot of Jamf PRO's dashboard. Source: Jamf

    Strengths:

    Areas to improve:

    • Jamf Pro is a unique product with an easy implementation that enables IT with minimum admin intervention.
    • It can create smart groups (based on MDM profile and user group) to automatically assign users to their pertinent apps and updates.
    • It's a very user-friendly tool, conducting device management in fewer steps than other competitors.
    • Reports are totally customizable and dynamic.
    • Notifications are easy to navigate and monitor.
    • Self-service feature enables end users to download their predefined categories of applications in the App Store.
    • It can apply single sign-on integrations to streamline user access to applications.
    • Businesses can personalize the tool with corporate logos.
    • Vendor does great for customer service when problems arise.
    • It is a costly tool relative to other competitors, pushing prospects to consider other products.
    • The learning process may be long and not easy, especially if admins do not script, or it's their first time using a UEM.

    Apply automation of traditional desktop management, software deployment, endpoint security, and patch management

    A strong choice for patch management, software deployment, asset management, and security management. There is a free version of the tool available to try get an understanding of the platform before purchasing a higher tier of the product.

    ManageEngine Endpoint Central

    Est. 1996 | India | Private

    8.3

    8.3

    +81

    88%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of ME Endpoint Central's dashboard.

    Screenshot of ME Endpoint Central's dashboard. Source: ManageEngine

    Strengths:

    Areas to improve:

    • It supports several operating systems including Windows, Mac, Linux, Android, and iOS.
    • Endpoint Central provides end-to-end monitoring, asset management, and security in a single platform.
    • Setup is simple and intuitive, and it's easy to learn and configure.
    • The reporting feature is very useful and gives you clear visibility into dashboard.
    • Combined with ME Service Desk Plus, we can call Endpoint Central an all-in-one solution.
    • The tool provides a real-time report on devices and tracks their health status.
    • It has multiple integrations with third-party solutions.
    • Tool does not automate updates, making application updates time-consuming.
    • Sometimes, patches and software deployments fail, and the tool doesn't provide any information on the reason for the failure.
    • There is no single point of contact/account manager for the clients when they have trouble with the tool.
    • Remote connection to Android devices can sometimes get a little tedious.

    Get device management and security in a single platform with a combination of Microsoft Intune and Configuration Manager

    A solution that combines Intune and ConfigMgr's capabilities into a single endpoint management suite for enrolling, managing, monitoring, and securing endpoints. It's a very cost-effective solution for enterprises in the Microsoft ecosystem, but it also supports other operating systems.

    Microsoft Endpoint Manager

    Est. 1975 | NM, USA | NASDAQ: MSFT

    8.0

    8.5

    +83

    85%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of MS Endpoint Manager's dashboard.

    Screenshot of MS Endpoint Manager's dashboard. Source: Microsoft

    Strengths:

    Areas to improve:

    • Licensing for the enterprises that use Windows as their primary operating system is more efficient and cost effective.
    • Endpoint Manager is very customizable, with the ability to assign personas to device groups.
    • Besides Windows, it manages other operating systems, such as Linux, Android, and iOS.
    • It creates endpoint security and compliance policies for BitLocker that streamlines data protection and security. It also provides SSO.
    • It provides very strong documentation and knowledgebase.
    • User interface is not as good as competitors. It's a bit clunky and complex to use.
    • The process of changing configurations on devices can be time consuming.
    • Sometimes there are service outages such as Autopilot failure, which push IT to deploy manually.
    • Location tracking is not very accurate.

    Simplify and consolidate endpoint management into a single solution and secure all devices with real-time, "over-the-air" modern management across all use cases

    A strong tool for managing and controlling mobile devices. It can access all profiles through Google and Apple, and it integrates with various IT management solutions.

    VMware Workspace ONE

    Est. 1998 | CA, USA | NYSE: VMW

    7.5

    7.4

    +71

    75%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of Workspace ONE's dashboard.

    Screenshot of Workspace ONE's dashboard. Source: VMware

    Strengths:

    Areas to improve:

    • Workspace ONE provides lots of information about devices.
    • It provides a large list of integrations.
    • The solution supports various operating systems.
    • The platform has many out-of-the-box features and helps with security management, asset management, and application management.
    • The vendor has a community forum which users find helpful for resolving issues or asking questions about the solution.
    • It is very simple to use and provides SSO capability.
    • Implementation is relatively easy and straightforward.
    • Customization may be tricky and require expertise.
    • The solution can be more user friendly with a better UI.
    • Because of intensive processing, updates to applications take a long time.
    • The tool may sometimes be very sensitive and lock devices.
    • Analytics and reporting may need improvement.

    Review your use cases to start your shortlist

    Your Info-Tech analysts can help you narrow down the list of vendors that will meet your requirements.

    Next steps will include:

    1. Reviewing your requirements
    2. Checking out SoftwareReviews
    3. Shortlisting your vendors
    4. Conducting demos and detailed proposal reviews
    5. Selecting and contracting with a finalist!

    Activity: Define high-level features for meeting business and technical goals

    Input

    • List of endpoint management use cases
    • List of prioritized features

    Output

    • Vendor evaluation
    • Final list of candidate vendors

    Materials

    • Whiteboard/flip charts
    • Laptop
    • UEM Requirements Workbook

    Participants

    • CIO
    • IT manager
    • Infrastructure & Applications directors
    • Project managers

    Activity: Define top-level features for meeting business and technical goals

    As there are many solutions in the market that share capabilities, it is imperative to closely evaluate how well they fulfill your endpoint management requirements.
    Use the UEM Requirements Workbook to identify your desired endpoint solution features and compare vendor solution functionality based on your desired features.

    1. Refer to the output of the previous activity, the identified use cases in the spreadsheet.
    2. List the features you want in an endpoint solution for your devices that will fulfill these use cases. Record those features in the second column ("Detailed Feature").
    3. Prioritize each feature (must have, should have, nice to have, not required).
    4. Send this list to candidate vendors.
    5. When you finish your investigation, review the spreadsheet to compare the various offerings and pros and cons of each solution.

    Info-Tech Insight

    The output of this activity can be used for a detailed evaluation of UEM vendors. The next steps will be vendor briefing and having further discussion on technical capabilities and conducting demos of solutions. Info-Tech's blueprint, The Rapid Application Selection Framework, takes you to these next steps.

    This is a screenshot showing the high value use cases table from The Rapid Application Selection Framework.

    Download the UEM Requirements Workbook

    Leverage Info-Tech's research to plan and execute your endpoint management selection and implementation

    Use Info-Tech Research Group's blueprints for selection and implementation processes to guide your own planning.

    • Assess
    • Prepare
    • Govern & Course Correct

    This is a screenshot of the title pages from INfo-tech's Governance and management of enterprise Software Implementaton; and The Rapid Applicaton Selection Framework.

    Ensure your implementation team has a high degree of trust and communication

    If external partners are needed, dedicate an internal resource to managing the vendor and partner relationships.

    Communication

    Teams must have some type of communication strategy. This can be broken into:

    • Regularity: Having a set time each day to communicate progress and a set day to conduct retrospectives.
    • Ceremonies: Injecting awards and continually emphasizing delivery of value can encourage relationship building and constructive motivation.
    • Escalation: Voicing any concerns and having someone responsible for addressing those concerns.

    Proximity

    Distributed teams create complexity because communication can break down more easily. This can be mitigated by:

    • Location: Placing teams in proximity can close the barrier of geographical distance and time zone differences.
    • Inclusion: Making a deliberate attempt to pull remote team members into discussions and ceremonies.
    • Communication Tools: Having the right technology (e.g. video conference) can help bring teams closer together virtually.

    Trust

    Members should trust other members are contributing to the project and completing their required tasks on time. Trust can be developed and maintained by:

    Accountability: Having frequent quality reviews and feedback sessions. As work becomes more transparent, people become more accountable.

    • Role Clarity: Having a clear definition of what everyone's role is.

    Implementation with a partner typically results in higher satisfaction

    Align your implementation plans with both the complexity of the solution and internal skill levels

    Be clear and realistic in your requirements to the vendor about the level of involvement you need to be successful.

    Primary reasons to use a vendor:

    • Lack of skilled resources: For solutions with little configuration change happening after the initial installation, the ramp-up time for an individual to build skills for a single event is not practical.
    • Complexity of solution: Multiple integrations, configurations, modules, and even acquisitions that haven't been fully integrated in the solution you choose can make it difficult to complete the installation and rollout on time and on budget. Troubleshooting becomes even more complex if multiple vendors are involved.
    • Data migration: Decide what information will be valuable to transfer to the new solution and which will not benefit your organization. Data structure and residency can both be factors in the complexity of this exercise.

    This is an image of a bar graph showing the Satisfaction Net Promotor Score by Implementation type and Organization Size.

    Source: SoftwareReviews, January 2020 to January 2023, N= 20,024 unique reviews

    To ensure your SOW is mutually beneficial, download the blueprint Improve Your Statements of Work to Hold Your Vendors Accountable.

    Consider running a proof of concept if concerns are expressed about the feasibility of the chosen solution

    Proofs of concept (PoCs) can be time consuming, so make good choices on where to spend the effort

    Create a PoC charter that will enable a quick evaluation of the defined use cases and functions. These key dimensions should form the PoC.

    1. Objective – Giving an overview of the planned PoC will help to focus and clarify the rest of this section. What must the PoC achieve? Objectives should be specific, measurable, attainable, relevant, and time bound. Outline and track key performance indicators.
    2. Key Success Factors – These are conditions that will positively impact the PoC's success.
    3. Scope – High-level statement of scope. More specifically, state what is in scope and what is out of scope.
    4. Project Team – Identify the team's structure, e.g. sponsors, subject matter experts.
    5. Resource Estimation – Identify what resources (time, materials, space, tools, expertise, etc.) will be needed to build and socialize your prototype. How will they be secured?

    An image of two screenshots from Info-Tech Research Group showing documentaton used to generate effective proof of concepts.

    To create a full proof of concept plan, download the Proof of Concept Template and see the instructions in Phase 3 of the blueprint Exploit Disruptive Infrastructure Technology.

    Selecting a right-sized endpoint management platform

    This selection guide allows organizations to execute a structured methodology for picking a UEM platform that aligns with their needs. This includes:

    • Identifying and prioritizing key business and technology drivers for an endpoint management selection business case.
    • Defining key use cases and requirements for a right-sized UEM platform.
    • Reviewing a comprehensive market scan of key players in the UEM marketspace.

    This formal UEM selection initiative will map out requirements and identify technology capabilities to fill the gap for better endpoint management. It also allows a formal roll-out of a UEM platform that is highly likely to satisfy all stakeholder needs.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    Contact your account representative for more information

    workshops@infotech.com
    1-888-670-8889

    Summary of Accomplishment

    Knowledge Gained

    • What endpoint management is
    • Historical origins and evolution of endpoint management platforms
    • Current trends and future state of endpoint management platforms

    Processes Optimized

    • Identifying use cases
    • Gathering requirements
    • Reviewing market key players and their capabilities
    • Selecting a UEM tool that fulfills your requirements

    UEM Solutions Analyzed

    • CISCO Meraki
    • Citrix Endpoint Management
    • IBM MaaS360
    • Ivanti Neurons UEM
    • Jamf Pro
    • ManageEngine Endpoint Central
    • Microsoft Endpoint Manager
    • VMware Workspace ONE

    Related Info-Tech Research

    Modernize and Transform Your End-User Computing Strategy

    This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

    Best Unified Endpoint Management (UEM) Software | SoftwareReviews

    Compare and evaluate Unified Endpoint Management vendors using the most in-depth and unbiased buyer reports available. Download free comprehensive 40+ page reports to select the best Unified Endpoint Management software for your organization.

    The Rapid Application Selection Framework

    This blueprint walks you through a process for a fast and efficient selection of your prospective application. You will be enabled to use a data-driven approach to select the right application vendor for your needs, shatter stakeholder expectations with truly rapid application selections, boost collaboration and crush the broken telephone with concise and effective stakeholder meetings, and lock in hard savings.

    Bibliography

    "BYOD Security Report." Cybersecurity Insiders, 2021. Accessed January 2023.
    "Cloud Infrastructure Services Market." MarketsAnd Markets, 2019. Accessed December 2022.
    Evans, Alma. "Mastering Mobility Management: MDM Vs. EMM Vs. UEM." Hexnode, 2019. Accessed November 2022.
    "Evercore-ISI Quarterly Enterprise Technology Spending Survey." Evercore-ISI, 2022. Accessed January 2023.
    "5G Service Revenue to Reach $315 Billion Globally in 2023." Jupiter Research, 2022. Accessed January 2023.
    Hein, Daniel. "5 Common Unified Endpoint Management Use Cases You Need to Know." Solutions Review, 2020. Accessed January 2023.
    "Mobile Device Management Market Size, Share & COVID-19 Impact Analysis." Fortune Business Insights, 2021. Accessed December 2022.
    Ot, Anina. "The Unified Endpoint Management (UEM) Market." Datamation, 14 Apr. 2022. Accessed Jan. 2023.
    Poje, Phil. "CEO Corner: 4 Trends in Unified Endpoint Management for 2023." Tech Orchard, 2022. Accessed January 2023.
    "The Future of UEM November 2021 Webinar." Ivanti, 2021. Accessed January 2023.
    "The Third Annual Study on the State of Endpoint Security Risk." Ponemon Institute, 2020. Accessed December 2022.
    "The Ultimate Guide to Unified Endpoint Management (UEM)." MobileIron. Accessed January 2023.
    "Trends in Unified Endpoint Management." It Pro Today, 2018. Accessed January 2023.
    Turek, Melanie. "Employees Say Smartphones Boost Productivity by 34 Percent: Frost & Sullivan Research." Samsung Insights, 3 Aug. 2016.
    "2023 State of Security Report." Cybersecurity Insiders, 2022. Accessed January 2023.
    Violino, Bob. "Enterprise Mobility 2022: UEM Adds User Experience, AI, Automation." Computerworld, 2022. Accessed January 2023.
    Violino, Bob. "How to Choose the Right UEM Platform." Computerworld, 2021. Accessed January 2023.
    Violino, Bob. "UEM Vendor Comparison Chart 2022." Computerworld, 2022. Accessed January 2023.
    Wallent, Michael. "5 Endpoint Management Predictions for 2023." Microsoft, 2022. Accessed January 2023.
    "What Is the Difference Between MDM, EMM, and UEM?" 42Gears, 2017. Accessed November 2022.

    Lead Staff through Change

    • Buy Link or Shortcode: {j2store}510|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: High Impact Leadership
    • Parent Category Link: /lead
    • Sixty to ninety percent of change initiatives fail, costing organizations dollars off the bottom line and lost productivity.
    • Seventy percent of change initiatives fail because of people-related issues, which place a major burden on managers to drive change initiatives successfully.
    • Managers are often too busy focusing on the process elements of change; as a result, they neglect major opportunities to leverage and mitigate staff behaviors that affect the entire team.

    Our Advice

    Critical Insight

    • Change is costly, but failed change is extremely costly. Managing change right the first time is worth the time and effort.
    • Staff pose the biggest opportunity and risk when implementing a change – managers must focus on their teams in order to maintain positive change momentum.
    • Large and small changes require the same change process to be followed but at different scales.
    • The size of a change must be measured according to the level of impact the change will have on staff, not how executives and managers perceive the change.
    • To effectively lead their staff through change, managers must anticipate staff reaction to change, develop a communication plan, introduce the change well, help their staff let go of old behaviors while learning new ones, and motivate their staff to adopt the change.

    Impact and Result

    • Anticipate and respond to staff questions about the change in order to keep messages consistent, organized, and clear.
    • Manage staff based on their specific concerns and change personas to get the best out of your team during the transition through change.
    • Maintain a feedback loop between staff, executives, and other departments in order to maintain the change momentum and reduce angst throughout the process.

    Lead Staff through Change Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Learn how to manage people throughout the change process

    Set up a successful change adoption.

    • Storyboard: Lead Staff through Change

    2. Learn the intricacies of the change personas

    Correctly identify which persona most closely resembles individual staff members.

    • None

    3. Assess the impact of change on staff

    Ensure enough time and effort is allocated in advance to people change management.

    • Change Impact Assessment Tool

    4. Organize change communications messages for a small change

    Ensure consistency and clarity in change messages to staff.

    • Basic Business Change Communication Worksheet

    5. Organize change communications messages for a large change

    Ensure consistency and clarity in change messages to staff.

    • Advanced Business Change Description Form

    6. Evaluate leadership of the change process with the team

    Improve people change management for future change initiatives.

    • Change Debrief Questionnaire
    [infographic]

    Establish a Communication and Collaboration System Strategy

    • Buy Link or Shortcode: {j2store}293|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $6,459 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications
    • Communication and collaboration portfolios are overburdened with redundant and overlapping services. Between Office 365, Slack, Jabber, and WebEx, IT is supporting a collection of redundant apps. This redundancy takes a toll on IT, and on the user.
    • Shadow IT is easier than ever, and cheap sharing tools are viral. Users are literally carrying around computers in their pockets (in the form of smartphones). IT often has no visibility into how these devices – and the applications on them – are used for work.

    Our Advice

    Critical Insight

    • You don’t know what you don’t know. Unstructured conversations with users will uncover insights.
    • Security is meaningless without usability. If security controls make a tool unusable, then users will rush to adopt something that’s free and easy.
    • Training users on a new tool once isn’t effective. Engage with users throughout the collaboration tool’s lifecycle.

    Impact and Result

    • Few supported apps and fewer unsupported apps. This will occur by ensuring that your collaboration tools will be useful to and used by users. Give users a say through surveys, focus groups, and job shadowing.
    • Lower total cost of ownership and greater productivity. Having fewer apps in the workplace, and better utilizing the functionality of those apps, will mean that IT can be much more efficient at managing your ECS.
    • Higher end-user satisfaction. Tools will be better suited to users’ needs, and users will feel heard by IT.

    Establish a Communication and Collaboration System Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop a new approach to communication and collaboration apps, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a shared vision on the future of communication and collaboration

    Identify and validate goals and collaboration tools that are used by your users, and the collaboration capabilities that must be supported by your desired ECS.

    • Establish a Communication and Collaboration System Strategy – Phase 1: Create a Shared Vision on the Future of Communication and Collaboration
    • Enterprise Collaboration Strategy Template
    • Building Company Communication and Collaboration Technology Improvement Plan Executive Presentation
    • Communications Infrastructure Stakeholder Focus Group Guide
    • Enterprise Communication and Collaboration System Business Requirements Document

    2. Map a path forward

    Map a path forward by creating a collaboration capability map and documenting your ECS requirements.

    • Establish a Communication and Collaboration System Strategy – Phase 2: Map a Path Forward
    • Collaboration Capability Map

    3. Build an IT and end-user engagement plan

    Effectively engage everyone to ensure the adoption of your new ECS. Engagement is crucial to the overall success of your project.

    • Establish a Communication and Collaboration System Strategy – Phase 3: Proselytize the Change
    • Collaboration Business Analyst
    • Building Company Exemplar Collaboration Marketing One-Pager Materials
    • Communication and Collaboration Strategy Communication Plan
    [infographic]

    Workshop: Establish a Communication and Collaboration System Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify What Needs to Change

    The Purpose

    Create a vision for the future of your ECS.

    Key Benefits Achieved

    Validate and bolster your strategy by involving your end users.

    Activities

    1.1 Prioritize Components of Your ECS Strategy to Improve

    1.2 Create a Plan to Gather Requirements From End Users

    1.3 Brainstorm the Collaboration Services That Are Used by Your Users

    1.4 Focus Group

    Outputs

    Defined vision and mission statements

    Principles for your ECS

    ECS goals

    End-user engagement plan

    Focus group results

    ECS executive presentation

    ECS strategy

    2 Map Out the Change

    The Purpose

    Streamline your collaboration service portfolio.

    Key Benefits Achieved

    Documented the business requirements for your collaboration services.

    Reduced the number of supported tools.

    Increased the effectiveness of training and enhancements.

    Activities

    2.1 Create a Current-State Collaboration Capability Map

    2.2 Build a Roadmap for Desired Changes

    2.3 Create a Future-State Capability Map

    2.4 Identify Business Requirements

    2.5 Identify Use Requirements and User Processes

    2.6 Document Non-Functional Requirements

    2.7 Document Functional Requirements

    2.8 Build a Risk Register

    Outputs

    Current-state collaboration capability map

    ECS roadmap

    Future-state collaboration capability map

    ECS business requirements document

    3 Proselytize the Change

    The Purpose

    Ensure the system is supported effectively by IT and adopted widely by end users.

    Key Benefits Achieved

    Unlock the potential of your ECS.

    Stay on top of security and industry good practices.

    Greater end-user awareness and adoption.

    Activities

    3.1 Develop an IT Training Plan

    3.2 Develop a Communications Plan

    3.3 Create Initial Marketing Material

    Outputs

    IT training plan

    Communications plan

    App marketing one-pagers

    Select the Optimal Disaster Recovery Deployment Model

    • Buy Link or Shortcode: {j2store}413|cart{/j2store}
    • member rating overall impact (scale of 10): 8.8/10 Overall Impact
    • member rating average dollars saved: $10,247 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • DR deployment has many possibilities. It becomes overwhelming and difficult to sift through all of the options and understand what makes sense for your organization.
    • The combination of high switching costs and the pressure to move applications to cloud leaves managers overwhelmed and complacent with their current DR model.

    Our Advice

    Critical Insight

    1. Cut to the chase and evaluate the feasibility of cloud first. Gauge your organization’s current capabilities for DR in the cloud before becoming infatuated with the idea.
    2. A mixed model gives you the best of both worlds. Diversify your strategy by identifying fit for purpose and balancing the work required to maintain various models.
    3. Begin with the end in mind. Commit to mastering the selected model and leverage your vendor relationship for effective DR.

    Impact and Result

    • By efficiently eliminating models that are not suited for your organization and narrowing the scope of DR deployment possibilities, you spend more time focusing on what works rather than what doesn’t.
    • Taking a funneled approach ensures that you are not wasting time evaluating application-level considerations when organizational constraints prevent you from moving forward.
    • Comparing the total cost of ownership among candidate models helps demonstrate to the business the reason behind choosing one method over another.

    Select the Optimal Disaster Recovery Deployment Model Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build the optimal DR deployment model, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Target the relevant DR options for your organization

    Complete Phase 1 to outline your DR site requirements, review any industry or organizational constraints on your DR strategy, and zero in on relevant DR models.

    • Select the Optimal Disaster Recovery Deployment Model – Phase 1: Target Relevant DR Options for Your Organization
    • DR Decision Tree (Visio)
    • DR Decision Tree (PDF)
    • Application Assessment Tool for Cloud DR

    2. Conduct a comprehensive analysis and vet the DR vendors

    Complete Phase 2 to explore possibilities of deployment models, conduct a TCO comparison analysis, and select the best-fit model.

    • Select the Optimal Disaster Recovery Deployment Model – Phase 2: Conduct a Comprehensive Analysis and Vet the DR Vendors
    • DR Solution TCO Comparison Tool

    3. Make the case and plan your transition

    Complete Phase 3 to assess outsourcing best practices, address implementation considerations, and build an executive presentation for business stakeholders.

    • Select the Optimal Disaster Recovery Deployment Model – Phase 3: Make the Case and Plan Your Transition
    • DR Solution Executive Presentation Template
    [infographic]

    Workshop: Select the Optimal Disaster Recovery Deployment Model

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Target Relevant DR Options for Your Organization

    The Purpose

    Identify potential DR models

    Key Benefits Achieved

    Take a funneled approach and avoid getting lost among all of the DR models available

    Activities

    1.1 Define DR site requirements

    1.2 Document industry and organizational constraints

    1.3 Identify potential DR models

    Outputs

    Determine the type of site, replication, and risk mitigation initiatives required

    Rule out unfit models

    DR Decision Tree

    Application Assessment Tool for Cloud DR

    2 Conduct a Comprehensive Analysis of Appropriate Models

    The Purpose

    Explore relevant DR models

    Key Benefits Achieved

    Develop supporting evidence for the various options

    Activities

    2.1 Explore pros and cons of potential solutions

    2.2 Understand the use case for DRaaS

    2.3 Review DR model diagrams

    Outputs

    Qualitative analysis on candidate models

    Evaluate the need for DRaaS

    DR diagrams for candidate models

    3 Build the DR Solution TCO Comparison Tool

    The Purpose

    Determine best cost models

    Key Benefits Achieved

    Save money by selecting the most cost effective option to meet your DR requirements

    Activities

    3.1 Gather hardware requirements for production site

    3.2 Define capacity requirements for DR

    3.3 Compare cost across various models

    Outputs

    Populate the production summary tab in TCO tool

    Understand how much hardware will need to be on standby and how much will be procured at the time of disaster

    Find the most cost effective method

    4 Make the Case and Plan Your Transition

    The Purpose

    Build support from business stakeholders by having a clear and defendable proposal for DR

    Key Benefits Achieved

    Effective and ready DR deployment model

    Activities

    4.1 Address implementation considerations for network, capacity, and day-to-day operations

    4.2 Build presentation for business stakeholders

    Outputs

    Define implementation projects necessary for deployment and appoint staff to execute them

    PowerPoint presentation to summarize findings from the course of the project

    Data Protection Notice

    Tymans Group BV processes personal information in compliance with this privacy statement. For further information, questions or comments on our privacy policy, please contact Gert Taeymans at https://tymansgroup.com/gdpr-contact.

    Purposes of the processing

    Tymans Group BV collects and processes customers’ personal data for customer and order management (customer administration, order / delivery follow-up, invoicing, solvency follow-up, profiling and the sending of marketing and personalised advertising).

    Legal foundation for the processing

    Personal data is processed based on several provisions of Article 6.1.

    (a)  consent, which you can revoke at any time,

    (b) required for the implementation of an agreement between you and Tymans Group BV, eg. when you enter into a contract with us,

    (c)  required to satisfy a legal obligation

    (f)  (required for the protection of our legitimate interest in entrepreneurship)] of the General Data Protection Regulation. An actual data item may be subject to multiple provisions.

    Insofar as the processing of personal data takes place based on Article 6.1. a) (consent), customers always have the right to withdraw the given consent.

    Transfer to third parties

    If required to achieve the set purposes, your personal data will be shared with other companies within the European Economic Area, which are linked directly or indirectly with Gert Taeymans BV or with any other partner of Tymans Group BV

    Tymans Group BV guarantees that these recipients will take the necessary technical and organisational measures for the protection of personal data.

    Third party categories that are subject to this provision are:

        Accounting
        Hosting
        Software Engineering (when you order websites or custom development with us)
        Social Media (only as part of Social Media Marketing contracted services by you)

    Due to the ECJ striking down the  EU-US Privacy Shield agreement, this leaves us with a open gap. The resulting implications and actions to take are not yet clear. You must be aware that one can argue that any data transfer from the EU towards the US is now in breach of the law. Other argue that necessary transfers are still allowed, whithout however defining, as far as we know, what "necessary" actually means. This website runs on servers within the EU. We also closely follow the opinions by the scholars and our regulator.

    Retention period

    Personal data processed for customer management will be stored for the time necessary to satisfy legal requirements (in terms of bookkeeping, among others).

    Right to inspection, improvement, deletion, limitation, objection and transferability of personal data

    You have at all times the right to inspect your personal data and can have it improved should it be incorrect or incomplete, have it removed, limit its processing an object to the processing of their personal data based on Article 6.1 (f), including profiling based on said provisions. Any personal data however that is needed for the legal processing of your order cannot be removed after you placed an order, as we need to keep it for legal purposes.

    Furthermore, you are entitled to obtain a copy of your personal data and to have said personal data forwarded to another company.

    In order to exercise the aforementioned rights, you are requested to send an e-mail the following address: dataprivacy@tymansgroup.com.

    Direct marketing

    You are entitled to object free of charge to the processing of any processing of their personal data aimed at direct marketing.

    Complaint

    You have the right to file a complaint with the Belgian Privacy Protection Commission (35 Rue de la Presse, 1000 Brussels - contact@adp-gba.be - 02/ 274 48 00 or 02/ 274 48 35).

    Resilience, It's about your business

    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A

    January 17th, 2025 is when your ability to serve clients without interruption is legislated. At least when you are in the financial services sector, or when you supply such firms.  If you are not active in the financial arena, don’t click away. Many of these requirements can just give you an edge over your competition.

    Many firms underestimated the impact of the legislation, but let’s be honest, so did the European Union. The last pieces of the puzzle are still not delivered only two days before the law comes into effect.

    What is DORA all about again? It is the Digital Operational Resilience Act. In essence, it is about your ability to withstand adverse events that may impact your clients or the financial system.

    Aside from some nasty details, this really is just common sense. You need to be organized so that the right people know what is expected of them, from the accountable top to the staff executing the day to day operations. You need to know what to do when things go wrong. You need to know your suppliers, especially those who supply services to your critical business services. You need to test your defenses and your IT. You may want to share intelligence around cyber-attacks.

    There, all of the 45 business-relevant DORA articles and technical standards in a single paragraph. The remaining articles deal with the competent authorities and make for good reading as they provide some insights into the workings of the regulatory body. The same goes for the preamble of the law. No less than 104 “musings” that elaborate on the operating environment and intent of the law.

    If you’re firm is still in the thick of things trying to become compliant, you are not alone. I have seen at least one regulator indicating that they will be understanding of that situation, but you must have a clear roadmap to compliance in the near future. Your regulator may or may not be in line with that position. In the eastern-most countries of the EU, signals are that the regulator will take a much tougher stance.

    (This kind of negates one of the musings of the law; the need for a single view on what financial services firms must adhere to to be considered compliant and resilient. But I think this is an unavoidable byproduct of having culturally diverse member states.)

    I dare to say that firms typically have the governance in place as well as the IM processes and testing requirements. The biggest open items seem to be in the actual IT hard operational resilience, monitoring and BCM.

    Take a look at your own firm and make an honest assessment in those areas. They key resilience (DORA-related or not) is knowing how your service works and is performing from a client perspective.

    You need to know how a client achieves all their interaction goals with your company. Typically this is mapped in the client journey. Unfortunately, this usually only maps the business flow, not the technical flow. And usually you look at it from the client UX perspective. This is obviously very important, but it does not help you to understand the elements that ensure you that your clients can always complete that journey.

    The other day, I had a customer journey with an online ski-shop. I had bought two ski helmets in size M, the same size my adult son and I had. When the helmets arrived it turned out they were too small. So, ok, no worries, I start the return process online. Once we complete the initial steps, after a few days I notice that the price for only one helmet is shown on the site. This, despite the indicators that both helmets are approved to be returned. Later both helmets are shown as effectively returned. Refund still shows one helmet’s price. What gives? I give it some more time, but after ten days, I decide to enquire. The site still shows refund for one helmet.

    Then I receive an email that both helmets will be refunded as they accepted the state of the helmets (unused) and amount of the refund is now correct. Site still shows the wrong amount.

    This is obviously a small inconvenience, but it does show that the IT team does not have a full view of the entire customer journey and systems interactions. You need to fix this.

    Suppose this is not about two ski helmets, but about ski or home insurance. Or about the sale of a car or a B2B transaction involving tens or hundreds of thousands of dollars or euro, or any other currency? Does your system show the real-time correct status of the transaction? If not, I would, as a consumer, decide to change provider. Why? Because the trust is gone.

    Resilience is about withstanding events that threaten your service to your clients. Events are nit just earthquakes or floods. Events are also wrong or missing information. To protect against that, you need to know what the (value) chain is that leads to you providing that service. Additionally, you need to know if that service chain has any impediments at any moment in time. Aka, you need to know that any service request can be fulfilled at any given time. And to have the right processes and resources in place to fix whatever is not working at that time.

    And that is in my opinion the biggest task still outstanding with many companies to ensure true resilience and customer service.

    Proactively Identify and Mitigate Vendor Risk

    • Buy Link or Shortcode: {j2store}227|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • IT priorities are focused on daily tasks, pushing risk management to secondary importance and diverging from a proactive environment.
    • IT leaders are relying on an increasing number of third-party technology vendors and outsourcing key functions to meet the rapid pace of change within IT.
    • Risk levels can fluctuate over the course of the partnership, requiring manual process checks and/or automated solutions.

    Our Advice

    Critical Insight

    • Every IT vendor carries risks that have business implications. These legal, financial, security, and operational risks could inhibit business continuity and IT can’t wait until an issue arises to act.
    • Making intelligent decisions about risks without knowing what their financial impact will be is difficult. Risk impact must be quantified.
    • You don’t know what you don’t know, and what you don’t know, can hurt you. To find hidden risks, you must use a structured risk identification method.

    Impact and Result

    • A thorough risk assessment in the selection phase is your first line of defense. If you follow the principles of vendor risk management, you can mitigate collateral losses following an adverse event.
    • Make a conscious decision whether to accept the risk based on time, priority, and impact. Spend the required time to correctly identify and enact defined vendor management processes that determine spend categories and appropriately evaluate potential and preferred suppliers. Ensure you accurately assess the partnership potential.
    • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s most significant risks before they happen.

    Proactively Identify and Mitigate Vendor Risk Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to create a vendor risk management program that minimizes your organization’s vulnerability and mitigates adverse scenarios.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Review vendor risk fundamentals and establish governance

    Review IT vendor risk fundamentals and establish a risk governance framework.

    • Proactively Identify and Mitigate Vendor Risk – Phase 1: Review Vendor Risk Fundamentals and Establish Governance
    • Vendor Risk Management Maturity Assessment Tool
    • Vendor Risk Management Program Manual
    • Risk Event Action Plan

    2. Assess vendor risk and define your response strategy

    Categorize, prioritize, and assess your vendor risks. Follow up with creating effective response strategies.

    • Proactively Identify and Mitigate Vendor Risk – Phase 2: Assess Vendor Risk and Define Your Response Strategy
    • Vendor Classification Model Tool
    • Vendor Risk Profile and Assessment Tool
    • Risk Costing Tool
    • Risk Register Tool

    3. Monitor, communicate, and improve IT vendor risk process

    Assign accountability and responsibilities to formalize ongoing risk monitoring. Communicate your findings to management and share the plan moving forward.

    • Proactively Identify and Mitigate Vendor Risk – Phase 3: Monitor, Communicate, and Improve IT Vendor Risk Process
    • Risk Report
    [infographic]

    Workshop: Proactively Identify and Mitigate Vendor Risk

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Prepare for the Workshop

    The Purpose

    To prepare the team for the workshop.

    Key Benefits Achieved

    Avoids delays and interruptions once the workshop is in progress.

    Activities

    1.1 Send workshop agenda to all participants.

    1.2 Prepare list of vendors and review any contracts provided by them.

    1.3 Review current risk management process.

    Outputs

    All necessary participants assembled

    List of vendors and vendor contracts

    Understanding of current risk management process

    2 Review Vendor Risk Fundamentals and Establish Governance

    The Purpose

    Review IT vendor risk fundamentals.

    Assess current maturity and set risk management program goals.

    Engage stakeholders and establish a risk governance framework.

    Key Benefits Achieved

    Understanding of organizational risk culture and the corresponding risk threshold.

    Obstacles to effective IT risk management identified.

    Attainable goals to increase maturity established.

    Understanding of the gap to achieve vendor risk readiness.

    Activities

    2.1 Brainstorm vendor-related risks.

    2.2 Assess current program maturity.

    2.3 Identify obstacles and pain points.

    2.4 Develop risk management goals.

    2.5 Develop key risk indicators (KRIs) and escalation protocols.

    2.6 Gain stakeholders’ perspective.

    Outputs

    Vendor risk management maturity assessment

    Goals for vendor risk management

    Stakeholders’ opinions

    3 Assess Vendor Risk and Define Your Response Strategy

    The Purpose

    Categorize vendors.

    Prioritize assessed risks.

    Key Benefits Achieved

    Risk events prioritized according to risk severity – as defined by the business.

    Activities

    3.1 Categorize vendors.

    3.2 Map vendor infrastructure.

    3.3 Prioritize vendors.

    3.4 Identify risk contributing factors.

    3.5 Assess risk exposure.

    3.6 Calculate expected cost.

    3.7 Identify risk events.

    3.8 Input risks into the Risk Register Tool.

    Outputs

    Vendors classified and prioritized

    Vendor risk exposure

    Expected cost calculation

    4 Assess Vendor Risk and Define Your Response Strategy (continued)

    The Purpose

    Determine risk threshold and contract clause relating to risk prevention.

    Identify and assess risk response actions.

    Key Benefits Achieved

    Thorough analysis has been conducted on the value and effectiveness of risk responses for high-severity risk events.

    Risk response strategies have been identified for all key risks.

    Authoritative risk response recommendations can be made to senior leadership.

    Activities

    4.1 Determine the threshold for (un)acceptable risk.

    4.2 Match elements of the contract to related vendor risks.

    4.3 Identify and assess risk responses.

    Outputs

    Thresholds for (un)acceptable risk

    Risk responses

    5 Monitor, Communicate, and Improve IT Vendor Risk Process

    The Purpose

    Communicate top risks to management.

    Assign accountabilities and responsibilities for risk management process.

    Establish monitoring schedule.

    Key Benefits Achieved

    Risk monitoring responsibilities are established.

    Transparent accountabilities and established ongoing improvement of the vendor risk management program.

    Activities

    5.1 Create a stakeholder map.

    5.2 Complete RACI chart.

    5.3 Establish the reporting schedule.

    5.4 Finalize the vendor risk management program.

    Outputs

    Stakeholder map

    Assigned accountability for risk management

    Established monitoring schedule

    Risk report

    Vendor Risk Management Program Manual

    Engineer Your Event Management Process

    • Buy Link or Shortcode: {j2store}461|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management

    Build an event management practice that is situated in the larger service management environment. Purposefully choose valuable events to track and predefine their associated actions to cut down on data clutter.

    Our Advice

    Critical Insight

    Event management is useless in isolation. The goals come from the pain points of other ITSM practices. Build handoffs to other service management practices to drive the proper action when an event is detected.

    Impact and Result

    Create a repeatable framework to define monitored events, their root cause, and their associated action. Record your monitored events in a catalog to stay organized.

    Engineer Your Event Management Process Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Engineer Your Event Management Deck – A step-by-step document that walks you through how to choose meaningful, monitored events to track and action.

    Engineer your event management practice with tracked events informed by the business impact of the related systems, applications, and services. This storyboard will help you properly define and catalog events so you can properly respond when alerted.

    • Engineer Your Event Management Process – Phases 1-3

    2. Event Management Cookbook – A guide to help you walk through every step of scoping event management and defining every event you track in your IT environment.

    Use this tool to define your workflow for adding new events to track. This cookbook includes the considerations you need to include for every tracked event as well as the roles and responsibilities of those involved with event management.

    • Event Management Cookbook

    3. Event Management Catalog – Using the Event Management Cookbook as a guide, record all your tracked events in the Event Management Catalog.

    Use this tool to record your tracked events and alerts in one place. This catalog allows you to record the rationale, root-cause, action, and data governance for all your monitored events.

    • Event Management Catalog

    4. Event Management Workflow – Define your event management handoffs to other service management practices.

    Use this template to help define your event management handoffs to other service management practices including change management, incident management, and problem management.

    • Event Management Workflow (Visio)
    • Event Management Workflow (PDF)

    5. Event Management Roadmap – Implement and continually improve upon your event management practice.

    Use this tool to implement and continually improve upon your event management process. Record, prioritize, and assign your action items from the event management blueprint.

    • Event Management Roadmap
    [infographic]

    Workshop: Engineer Your Event Management Process

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Situate Event Management in Your Service Management Environment

    The Purpose

    Determine goals and challenges for event management and set the scope to business-critical systems.

    Key Benefits Achieved

    Defined system scope of Event Management

    Roles and responsibilities defined

    Activities

    1.1 List your goals and challenges

    1.2 Monitoring and event management RACI

    1.3 Abbreviated business impact analysis

    Outputs

    Event Management RACI (as part of the Event Management Cookbook)

    Abbreviated BIA (as part of the Event Management Cookbook)

    2 Define Your Event Management Scope

    The Purpose

    Define your in-scope configuration items and their operational conditions

    Key Benefits Achieved

    Operational conditions, related CIs and dependencies, and CI thresholds defined

    Activities

    2.1 Define operational conditions for systems

    2.2 Define related CIs and dependencies

    2.3 Define conditions for CIs

    2.4 Perform root-cause analysis for complex condition relationships

    2.5 Set thresholds for CIs

    Outputs

    Event Management Catalog

    3 Define Thresholds and Actions

    The Purpose

    Pre-define actions for every monitored event

    Key Benefits Achieved

    Thresholds and actions tied to each monitored event

    Activities

    3.1 Set thresholds to monitor

    3.2 Add actions and handoffs to event management

    Outputs

    Event Catalog

    Event Management Workflows

    4 Start Monitoring and Implement Event Management

    The Purpose

    Effectively implement event management

    Key Benefits Achieved

    Establish an event management roadmap for implementation and continual improvement

    Activities

    4.1 Define your data policy for event management

    4.2 Identify areas for improvement and establish an implementation plan

    Outputs

    Event Catalog

    Event Management Roadmap

    Further reading

    Engineer Your Event Management Process

    Track monitored events purposefully and respond effectively.

    EXECUTIVE BRIEF

    Analyst Perspective

    Event management is useless in isolation.

    Event management creates no value when implemented in isolation. However, that does not mean event management is not valuable overall. It must simply be integrated properly in the service management environment to inform and drive the appropriate actions.

    Every step of engineering event management, from choosing which events to monitor to actioning the events when they are detected, is a purposeful and explicit activity. Ensuring that event management has open lines of communication and actions tied to related practices (e.g. problem, incident, and change) allows efficient action when needed.

    Catalog your monitored events using a standardized framework to allow you to know:

    1. The value of tracking the event.
    2. The impact when the event is detected.
    3. The appropriate, right-sized reaction when the event is detected.
    4. The tool(s) involved in tracking the event.

    Properly engineering event management allows you to effectively monitor and understand your IT environment and bolster the proactivity of the related service management practices.

    Benedict Chang

    Benedict Chang
    Research Analyst, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Strive for proactivity. Implement event management to reduce response times of technical teams to solve (potential) incidents when system performance degrades.

    Build an integrated event management practice where developers, service desk, and operations can all rely on event logs and metrics.

    Define the scope of event management including the systems to track, their operational conditions, related configuration items (CIs), and associated actions of the tracked events.

    Common Obstacles

    Managed services, subscription services, and cloud services have reduced the traditional visibility of on- premises tools.

    System(s) complexity and integration with the above services has increased, making true cause and effect difficult to ascertain.

    Info-Tech’s Approach

    Clearly define a limited number of operational objectives that may benefit from event management.

    Focus only on the key systems whose value is worth the effort and expense of implementing event management.

    Understand what event information is available from the CIs of those systems and map those against your operational objectives.

    Write a data retention policy that balances operational, audit, and debugging needs against cost and data security needs.

    Info-Tech Insight

    More is NOT better. Even in an AI-enabled world, every event must be collected with a specific objective in mind. Defining the purpose of each tracked event will cut down on data clutter and response time when events are detected.

    Your challenge

    This research is designed to help organizations who are facing these challenges or looking to:

    • Build an event management practice that is situated in the larger service management environment.
    • Purposefully choose events and to track as well as their related actions based on business-critical systems, their conditions, and their related CIs.
    • Cut down on the clutter of current events tracked.
    • Create a framework to add new events when new systems are onboarded.

    33%

    In 2020, 33% of organizations listed network monitoring as their number one priority for network spending. 27% of organizations listed network monitoring infrastructure as their number two priority.
    Source: EMA, 2020; n=350

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • Many organizations have multiple tools across multiple teams and departments that track the current state of infrastructure, making it difficult to consolidate event management into a single practice.
    • Managed services, subscription services, and cloud services have reduced the traditional visibility of on-premises tools
    • System(s) complexity and integration with the above services has increased, making true cause and effect difficult to ascertain.

    Build event management to bring value to the business

    33%

    33% of all IT organizations reported that end users detected and reported incidents before the network operations team was aware of them.
    Source: EMA, 2020; n=350

    64%

    64% of enterprises use 4-10 monitoring tools to troubleshoot their network.
    Source: EMA, 2020; n=350

    Info-Tech’s approach

    Choose your events purposefully to avoid drowning in data.

    A funnel is depicted. along the funnel are the following points: Event Candidates: 1. System Selection by Business Impact; 2. System Decomposition; 3. Event Selection and Thresholding; 4. Event Action; 5. Data Management; Valuable, Monitored, and Actioned Events

    The Info-Tech difference:

    1. Start with a list of your most business-critical systems instead of data points to measure.
    2. Decompose your business-critical systems into their configuration items. This gives you a starting point for choosing what to measure.
    3. Choose your events and label them as notifications, warnings, or exceptions. Choose the relevant thresholds for each CI.
    4. Have a pre-defined action tied to each event. That action could be to log the datapoint for a report or to open an incident or problem ticket.
    5. With your event catalog defined, choose how you will measure the events and where to store the data.

    Event management is useless in isolation

    Define how event management informs other management practices.

    Logging, Archiving, and Metrics

    Monitoring and event management can be used to establish and analyze your baseline. The more you know about your system baselines, the easier it will be to detect exceptions.

    Change Management

    Events can inform needed changes to stay compliant or to resolve incidents and problems. However, it doesn’t mean that changes can be implemented without the proper authorization.

    Automatic Resolution

    The best use case for event management is to detect and resolve incidents and problems before end users or IT are even aware.

    Incident Management

    Events sitting in isolation are useless if there isn’t an effective way to pass potential tickets off to incident management to mitigate and resolve.

    Problem Management

    Events can identify problems before they become incidents. However, you must establish proper data logging to inform problem prioritization and actioning.

    Info-Tech’s methodology for Engineering Your Event Management Process

    1. Situate Event Management in Your Service Management Environment 2. Define Your Monitoring Thresholds and Accompanying Actions 3. Start Monitoring and Implement Event Management

    Phase Steps

    1.1 Set Operational and Informational Goals

    1.2 Scope Monitoring and States of Interest

    2.1 Define Conditions and Related CIs

    2.2 Set Monitoring Thresholds and Alerts

    2.3 Action Your Events

    3.1 Define Your Data Policy

    3.2 Define Future State

    Event Cookbook

    Event Catalog

    Phase Outcomes

    Monitoring and Event Management RACI

    Abbreviated BIA

    Event Workflow

    Event Management Roadmap

    Insight summary

    Event management is useless in isolation.

    The goals come from the pain points of other ITSM practices. Build handoffs to other service management practices to drive the proper action when an event is detected.

    Start with business intent.

    Trying to organize a catalog of events is difficult when working from the bottom up. Start with the business drivers of event management to keep the scope manageable.

    Keep your signal-to-noise ratio as high as possible.

    Defining tracked events with their known conditions, root cause, and associated actions allows you to be proactive when events occur.

    Improve slowly over time.

    Start small if need be. It is better and easier to track a few items with proper actions than to try to analyze events as they occur.

    More is NOT better. Avoid drowning in data.

    Even in an AI-enabled world, every event must be collected with a specific objective in mind. Defining the purpose of each tracked event will cut down on data clutter and response time when events are detected.

    Add correlations in event management to avoid false positives.

    Supplement the predictive value of a single event by aggregating it with other events.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    This is a screenshot of the Event Management Cookbook

    Event Management Cookbook
    Use the framework in the Event Management Cookbook to populate your event catalog with properly tracked and actioned events.

    This is a screenshot of the Event Management RACI

    Event Management RACI
    Define the roles and responsibilities needed in event management.

    This is a screenshot of the event management workflow

    Event Management Workflow
    Define the lifecycle and handoffs for event management.

    This is a screenshot of the Event Catalog

    Event Catalog
    Consolidate and organize your tracked events.

    This is a screenshot of the Event Roadmap

    Event Roadmap
    Roadmap your initiatives for future improvement.

    Blueprint benefits

    IT Benefits

    • Provide a mechanism to compare operating performance against design standards and SLAs.
    • Allow for early detection of incidents and escalations.
    • Promote timely actions and ensure proper communications.
    • Provide an entry point for the execution of service management activities.
    • Enable automation activity to be monitored by exception
    • Provide a basis for service assurance, reporting and service improvements.

    Business Benefits

    • Less overall downtime via earlier detection and resolution of incidents.
    • Better visibility into SLA performance for supplied services.
    • Better visibility and reporting between IT and the business.
    • Better real-time and overall understanding of the IT environment.

    Case Study

    An event management script helped one company get in front of support calls.

    INDUSTRY - Research and Advisory

    SOURCE - Anonymous Interview

    Challenge

    One staff member’s workstation had been infected with a virus that was probing the network with a wide variety of usernames and passwords, trying to find an entry point. Along with the obvious security threat, there existed the more mundane concern that workers occasionally found themselves locked out of their machine and needed to contact the service desk to regain access.

    Solution

    The system administrator wrote a script that runs hourly to see if there is a problem with an individual’s workstation. The script records the computer's name, the user involved, the reason for the password lockout, and the number of bad login attempts. If the IT technician on duty notices a greater than normal volume of bad password attempts coming from a single account, they will reach out to the account holder and inquire about potential issues.

    Results

    The IT department has successfully proactively managed two distinct but related problems: first, they have prevented several instances of unplanned work by reaching out to potential lockouts before they receive an incident report. They have also successfully leveraged event management to probe for indicators of a security threat before there is a breach.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Introduce the Cookbook and explore the business impact analysis.

    Call #4: Define operational conditions.

    Call #6: Define actions and related practices.

    Call #8: Identify and prioritize improvements.

    Call #3: Define system scope and related CIs/ dependencies.

    Call #5: Define thresholds and alerts.

    Call #7: Define data policy.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 6 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Situate Event Management in Your Service Management Environment Define Your Event Management Scope Define Thresholds and Actions Start Monitoring and Implement Event Management Next Steps and Wrap-Up (offsite)

    Activities

    1.1 3.1 Set Thresholds to Monitor

    3.2 Add Actions and Handoffs to Event Management

    Introductions

    1.2 Operational and Informational Goals and Challenges

    1.3 Event Management Scope

    1.4 Roles and Responsibilities

    2.1 Define Operational Conditions for Systems

    2.2 Define Related CIs and Dependencies

    2.3 Define Conditions for CIs

    2.4 Perform Root-Cause Analysis for Complex Condition Relationships

    2.4 Set Thresholds for CIs

    3.1 Set Thresholds to Monitor

    3.2 Add Actions and Handoffs to Event Management

    4.1 Define Your Data Policy for Event Management

    4.2 Identify Areas for Improvement and Future Steps

    4.3 Summarize Workshop

    5.1 Complete In-Progress Deliverables From Previous Four Days

    5.2 Set Up Review Time for Workshop Deliverables and to Discuss Next Steps

    Deliverables
    1. Monitoring and Event Management RACI (as part of the Event Management Cookbook)
    2. Abbreviated BIA (as part of the Event Management Cookbook)
    3. Event Management Cookbook
    1. Event Management Catalog
    1. Event Management Catalog
    2. Event Management Workflows
    1. Event Management Catalog
    2. Event Management Roadmap
    1. Workshop Summary

    Phase 1

    Situate Event Management in Your Service Management Environment

    Phase 1 Phase 2 Phase 3

    1.1 Set Operational and Informational Goals
    1.2 Scope Monitoring and Event Management Using Business Impact

    2.1 Define Conditions and Related CIs
    2.2 Set Monitoring Thresholds and Alerts
    2.3 Action Your Events

    3.1 Define Your Data Policy
    3.2 Set Your Future of Event Monitoring

    Engineer Your Event Management Process

    This phase will walk you through the following activities:

    1.1.1 List your goals and challenges

    1.1.2 Build a RACI chart for event management

    1.2.1 Set your scope using business impact

    This phase involves the following participants:

    Infrastructure management team

    IT managers

    Step 1.1

    Set Operational and Informational Goals

    Activities

    1.1.1 List your goals and challenges

    1.1.2 Build a RACI chart for event management

    Situate Event Management in Your Service Management Environment

    This step will walk you through the following activities:

    Set the overall scope of event management by defining the governing goals. You will also define who is involved in event management as well as their responsibilities.

    This step involves the following participants:

    Infrastructure management team

    IT managers

    Outcomes of this step

    Define the goals and challenges of event management as well as their data proxies.

    Have a RACI matrix to define roles and responsibilities in event management.

    Situate event management among related service management practices

    This image depicts the relationship between Event Management and related service management practices.

    Event management needs to interact with the following service management practices:

    • Incident Management – Event management can provide early detection and/or prevention of incidents.
    • Availability and Capacity Management – Event management helps detect issues with availability and capacity before they become an incident.
    • Problem Management – The data captured in event management can aid in easier detection of root causes of problems.
    • Change Management – Event management can function as the rationale behind needed changes to fix problems and incidents.

    Consider both operational and informational goals for event management

    Event management may log real-time data for operational goals and non-real time data for informational goals

    Event Management

    Operational Goals (real-time)

    Informational Goals (non-real time)

    Incident Response & Prevention

    Availability Scaling

    Availability Scaling

    Modeling and Testing

    Investigation/ Compliance

    • Knowing what the outcomes are expected to achieve helps with the design of that process.
    • A process targeted to fewer outcomes will generally be less complex, easier to adhere to, and ultimately, more successful than one targeted to many goals.
    • Iterate for improvement.

    1.1.1 List your goals and challenges

    Gather a diverse group of IT staff in a room with a whiteboard.

    Have each participant write down their top five specific outcomes they want from improved event management.

    Consolidate similar ideas.

    Prioritize the goals.

    Record these goals in your Event Management Cookbook.

    Priority Example Goals
    1 Reduce response time for incidents
    2 Improve audit compliance
    3 Improve risk analysis
    4 Improve forecasting for resource acquisition
    5 More accurate RCAs

    Input

    • Pain points

    Output

    • Prioritized list of goals and outcomes

    Materials

    • Whiteboard/flip charts
    • Sticky notes

    Participants

    • Infrastructure management team
    • IT managers

    Download the Event Management Cookbook

    Event management is a group effort

    • Event management needs to involve multiple other service management practices and service management roles to be effective.
    • Consider the roles to the right to see how event management can fit into your environment.

    Infrastructure Team

    The infrastructure team is accountable for deciding which events to track, how to track, and how to action the events when detected.

    Service Desk

    The service desk may respond to events that are indicative of incidents. Setting a root cause for events allows for quicker troubleshooting, diagnosis, and resolution of the incident.

    Problem and Change Management

    Problem and change management may be involved with certain event alerts as the resultant action could be to investigate the root cause of the alert (problem management) or build and approve a change to resolve the problem (change management).

    1.1.2 Build a RACI chart for event management

    1. As a group, complete the RACI chart using the template to the right. RACI stands for the following:
      • Responsible. The person doing the work.
      • Accountable. The person who ensures the work is done.
      • Consulted. Two-way communication.
      • Informed. One-way communication
      • There must be one and only one accountable person for each task. There must also be at least one responsible person. Depending on the use case, RACI letters may be combined (e.g. AR means the person who ensures the work is complete but also the person doing the work).
    2. Start with defining the roles in the first row in your own environment.
    3. Look at the tasks on the first column and modify/add/subtract tasks as necessary.
    4. Populate the RACI chart as necessary.

    Download the Event Management Cookbook

    Event Management Task IT Manager SME IT Infrastructure Manager Service Desk Configuration Manager (Event Monitoring System) Change Manager Problem Manager
    Defining systems and configuration items to monitor R C AR R
    Defining states of operation R C AR C
    Defining event and event thresholds to monitor R C AR I I
    Actioning event thresholds: Log A R
    Actioning event thresholds: Monitor I R A R
    Actioning event thresholds: Submit incident/change/problem ticket R R A R R I I
    Close alert for resolved issues AR RC RC

    Step 1.2

    Scope Monitoring and Event Management Using Business Impact

    Activities

    1.2.1 Set your scope using business impact

    Situate Event Management in Your Service Management Environment

    This step will walk you through the following activities:

    • Set your scope of event management using an abbreviated business impact analysis.

    This step involves the following participants:

    • Infrastructure manager
    • IT managers

    Outcomes of this step

    • List of systems, services, and applications to monitor.

    Use the business impact of your systems to set the scope of monitoring

    Picking events to track and action is difficult. Start with your most important systems according to business impact.

    • Business impact can be determined by how costly system downtime is. This could be a financial impact ($/hour of downtime) or goodwill impact (internal/external stakeholders affected).
    • Use business impact to determine the rating of a system by Tier (Gold, Silver, or Bronze):
      • GOLD: Mission-critical services. An outage is catastrophic in terms of cost or public image/goodwill. Example: trading software at a financial institution.
      • SILVER: Important to daily operations but not mission critical. Example: email services at any large organization.
      • BRONZE: Loss of these services is an inconvenience more than anything, though they do serve a purpose and will be missed if they are never brought back online. Example: ancient fax machines.
    • Align a list of systems to track with your previously selected goals for event management to determine WHY you need to track that system. Tracking the system could inform critical SLAs (performance/uptime), vulnerability, compliance obligations, or simply system condition.

    More is not better

    Tracking too many events across too many tools could decrease your responsiveness to incidents. Start tracking only what is actionable to keep the signal-to-noise ratio of events as high as possible.

    % of Incidents Reported by End Users Before Being Recognized by IT Operations

    A bar graph is depicted. It displays the following Data: All Organizations: 40%; 1-3 Tools: 29; 4-10 Tools: 36%; data-verified=11 Tools: 52">

    Source: Riverbed, 2016

    1.2.1 Set your scope using business impact

    Collating an exhaustive list of applications and services is onerous. Start small, with a subset of systems.

    1. Gather a diverse group of IT staff and end users in a room with a whiteboard.
    2. List 10-15 systems and services. Solicit feedback from the group. Questions to ask:
      • What services do you regularly use? What do you see others using?
        (End users)
      • Which service comprises the greatest number of service calls? (IT)
      • What services are the most critical for business operations? (Everybody)
      • What is the cost of downtime (financial and goodwill) for these systems? (Business)
      • How does monitoring these systems align with your goals set in Step 1.1?
    3. Assign an importance to each of these systems from Gold (most important) to Bronze (least important).
    4. Record these systems in your Event Management Cookbook.
    Systems/Services/Applications Tier
    1 Core Infrastructure Gold
    2 Internet Access Gold
    3 Public-Facing Website Gold
    4 ERP Silver
    15 PaperSave Bronze

    Include a variety of services in your analysis

    It might be tempting to jump ahead and preselect important applications. However, even if an application is not on the top 10 list, it may have cross-dependencies that make it more valuable than originally thought.

    For a more comprehensive BIA, see Create a Right-Sized Disaster Recovery Plan
    Download the Event Management Cookbook

    Phase 2

    Define Your Monitoring Thresholds and Accompanying Actions

    Phase 1Phase 2Phase 3

    1.1 Set Operational and Informational Goals
    1.2 Scope Monitoring and Event Management Using Business Impact

    2.1 Define Conditions and Related CIs
    2.2 Set Monitoring Thresholds and Alerts
    2.3 Action Your Events

    3.1 Define Your Data Policy
    3.2 Set Your Future of Event Monitoring

    Engineer Your Event Management Process

    This phase will walk you through the following activities:

    • 2.1.1 Define performance conditions
    • 2.1.2 Decompose services into Related CIs
    • 2.2.1 Verify your CI conditions with a root-cause analysis
    • 2.2.2 Set thresholds for your events
    • 2.3.1 Set actions for your thresholds
    • 2.3.2 Build your event management workflow

    This phase involves the following participants:

    • Business system owners
    • Infrastructure manager
    • IT managers

    Step 2.1

    Define Conditions and Related CIs

    Activities

    2.1.1 Define performance conditions

    2.1.2 Decompose services into related CIs

    Define Your Monitoring Thresholds and Accompanying Actions

    This step will walk you through the following activities:

    For each monitored system, define the conditions of interest and related CIs.

    This step involves the following participants:

    Business system owners

    Infrastructure manager

    IT managers

    Outcomes of this step

    List of conditions of interest and related CIs for each monitored system.

    Consider the state of the system that is of concern to you

    Events present a snapshot of the state of a system. To determine which events you want to monitor, you need to consider what system state(s) of importance.

    • Systems can be in one of three states:
      • Up
      • Down
      • Degraded
    • What do these states mean for each of your systems chosen in your BIA?
    • Up and Down are self-explanatory and a good place to start.
    • However, degraded systems are indicative that one or more component systems of an overarching system has failed. You must uncover the nature of such a failure, which requires more sophisticated monitoring.

    2.1.1 Define system states of greatest importance for each of your systems

    1. With the system business owners and compliance officers in the room, list the performance states of your systems chosen in your BIA.
    2. If you have too many systems listed, start only with the Gold Systems.
    3. Use the following proof approaches if needed:
      • Positive Proof Approach – every system when it has certain technical and business performance expectations. You can use these as a baseline.
      • Negative Proof Approach – users know when systems are not performing. Leverage incident data and end-user feedback to determine failed or degraded system states and work backwards.
    4. Focus on the end-user facing states.
    5. Record your critical system states in the Event Management Cookbook.
    6. Use these states in the next several activities and translate them into measurable infrastructure metrics.

    Input

    • Results of business impact analysis

    Output

    • Critical system states

    Materials

    • Whiteboard/flip charts
    • Sticky notes
    • Markers

    Participants

    • Infrastructure manager
    • Business system owners

    Download the Event Management Cookbook

    2.1.2 Decompose services into relevant CIs

    Define your system dependencies to help find root causes of degraded systems.

    1. For each of your systems identified in your BIA, list the relevant CIs.
    2. Identify dependencies and relationship of those CIs with other CIs (linkages and dependencies).
    3. Starting with the Up/Down conditions for your Gold systems, list the conditions of the CIs that would lead to the condition of the system. This may be a 1:1 relationship (e.g. Core Switches down = Core Infrastructure down) or a many:1 relationship (some virtualization hosts + load balancers down = Core Infrastructure down). You do not need to define specific thresholds yet. Focus on conditions for the CIs.
    4. Repeat step 3 with Degraded conditions.
    5. Repeat step 3 and 4 with Silver and Bronze systems.
    6. Record the results in the Event Management Cookbook.

    Core Infrastructure Example

    An iceberg is depicted. below the surface, are the following terms in order from shallowest to deepest: MPLS Connection, Core Switches, DNS; DHCP, AD ADFS, SAN-01; Load Balancers, Virtualization Hosts (x 12); Power and Cooling

    Download the Event Management Cookbook

    Step 2.2

    Set Monitoring Thresholds and Alerts

    Activities

    2.2.1 Verify your CI conditions with a root-cause analysis

    2.2.2 Set thresholds for your events

    Define Your Monitoring Thresholds and Accompanying Actions

    This step will walk you through the following activities:

    Set monitoring thresholds for each CI related to each condition of interest.

    This step involves the following participants:

    Business system managers

    Infrastructure manager

    IT managers

    Service desk manager

    Outcomes of this step

    List of events to track along with their root cause.

    Event management will involve a significant number of alerts

    Separate the serious from trivial to keep the signal-to-noise ratio high.

    Event Categories: Exceptions: Alarms Indicate Failure; Alerts indicate exceeded thresholds; Normal Operation. Event Alerts: Informational; Exceptional; Warning

    Set your own thresholds

    You must set your own monitoring criteria based on operational needs. Events triggering an action should be reviewed via an assessment of the potential project and associated risks.

    Consider the four general signal types to help define your tracked events

    Latency – time to respond

    Examples:

    • Web server – time to complete request
    • Network – roundtrip ping time
    • Storage – read/write queue times

    Traffic – amount of activity per unit time

    Web sever – how many pages per minute

    Network – Mbps

    Storage – I/O read/writes per sec

    Errors – internally tracked erratic behaviors

    Web Server – page load failures

    Network – packets dropped

    Storage – disk errors

    Saturation – consumption compared to theoretical maximum

    Web Server – % load

    Network – % utilization

    Storage – % full

    2.2.1 Verify your CI conditions with a root-cause analysis

    RCAs postulate why systems go down; use the RCA to inform yourself of the events leading up to the system going down.

    1. Gather a diverse group of IT staff in a room with a whiteboard.
    2. Pick a complex example of a system condition (many:1 correlation) that has considerable data associated with it (e.g. recorded events, problem tickets).
    3. Speculate on the most likely precursor conditions. For example, if a related CI fails or is degraded, which metrics would you likely see before the failure?
    4. If something failed, imagine what you’d most likely see before the failure.
    5. Extend that timeline backward as far as you can be reasonably confident.
    6. Pick a value for that event.
    7. Write out your logic flow from event recognition to occurrence.
    8. Once satisfied, program the alert and ideally test in a non-prod environment.

    Public Website Example

    Dependency CIs Tool Metrics
    ISP WAN SNMP Traps Latency
    Telemetry Packet Loss
    SNMP Pooling Jitter
    Network Performance Web Server Response Time
    Connection Stage Errors
    Web Server Web Page DOM Load Time
    Performance
    Page Load Time

    Let your CIs help you

    At the end of the day, most of us can only monitor what our systems let us. Some (like Exchange Servers) offer a crippling number of parameters to choose from. Other (like MPLS) connections are opaque black boxes giving up only the barest of information. The metrics you choose are largely governed by the art of the possible.

    Case Study

    Exhaustive RCAs proved that 54% of issues were not caused by storage.

    This is the Nimble Storage Logo

    INDUSTRY - Enterprise IT
    SOURCE - ESG, 2017

    Challenge

    Despite a laser focus on building nothing but all-flash storage arrays, Nimble continued to field a dizzying number of support calls.

    Variability and complexity across infrastructure, applications, and configurations – each customer install being ever so slightly different – meant that the problem of customer downtime seemed inescapable.

    Solution

    Nimble embedded thousands of sensors into its arrays, both at a hardware level and in the code. Thousands of sensors per array multiplied by 7,500 customers meant millions of data points per second.

    This data was then analyzed against 12,000 anonymized app-data gap-related incidents.

    Patterns began to emerge, ones that persisted across complex customer/array/configuration combinations.

    These patterns were turned into signatures, then acted on.

    Results

    54% of app-data gap related incidents were in fact related to non-storage factors! Sub-optimal configuration, bad practices, poor integration with other systems, and even VM or hosts were at the root cause of over half of reported incidents.

    Establishing that your system is working fine is more than IT best practice – by quickly eliminating potential options the right team can get working on the right system faster thus restoring the service more quickly.

    Gain an even higher SNR with event correlation

    Filtering:

    Event data determined to be of minimal predictive value is shunted aside.

    Aggregation:

    De-duplication and combination of similar events to trigger a response based on the number or value of events, rather than for individual events.

    Masking:

    Ignoring events that occur downstream of a known failed system. Relies on accurate models of system relationships.

    Triggering:

    Initiating the appropriate response. This could be simple logging, any of the exception event responses, an alert requiring human intervention, or a pre-programmed script.

    2.2.2 Set thresholds for your events

    If the event management team toggles the threshold for an alert too low (e.g. one is generated every time a CPU load reaches 60% capacity), they will generate too many false positives and create far too much work for themselves, generating alert fatigue. If they go the other direction and set their thresholds too high, there will be too many false negatives – problems will slip through and cause future disruptions.

    1. Take your list of RCAs from the previous activity and conduct an activity with the group. The goal of the exercise is to produce the predictive event values that confidently predict an imminent event.
    2. Questions to ask:
      • What are some benign signs of this incident?
      • Is there something we could have monitored that would have alerted us to this issue before an incident occurred?
      • Should anyone have noticed this problem? Who? Why? How?
      • Go through this for each of the problems identified and discuss thresholds. When complete, include the information in the Event Management Catalog.

    Public Website Example

    Dependency Metrics Threshold
    Network Performance Latency 150ms
    Packet Loss 10%
    Jitter >1ms
    Web Server Response Time 750ms
    Performance
    Connection Stage Errors 2
    Web Page Performance DOM Load time 1100ms
    Page Load time 1200ms

    Download the Event Management Cookbook

    Step 2.3

    Action Your Events

    Activities

    2.3.1 Set actions for your thresholds

    2.3.2 Build your event management workflow

    Define Your Monitoring Thresholds and Associated Actions

    This step will walk you through the following activities:

    With your list of tracked events from the previous step, build associated actions and define the handoff from event management to related practices.

    This step involves the following participants:

    Event management team

    Infrastructure team

    Change manager

    Problem manager

    Incident manager

    Outcomes of this step

    Event management workflow

    Set actions for your thresholds

    For each of your thresholds, you will need an action tied to the event.

    • Review the event alert types:
      • Informational
      • Warning
      • Exception
    • Your detected events will require one of the following actions if detected.
    • Unactioned events will lead to a poor signal-to-noise ratio of data, which ultimately leads to confusion in the detection of the event and decreased response effectiveness.

    Event Logged

    For informational alerts, log the event for future analysis.

    Automated Resolution

    For a warning or exception event or a set of events with a well-known root cause, you may have an automated resolution tied to detection.

    Human Intervention

    For warnings and exceptions, human intervention may be needed. This could include manual monitoring or a handoff to incident, change, or problem management.

    2.3.1 Set actions for your thresholds

    Alerts generated by event management are useful for many different ITSM practitioners.

    1. With the chosen thresholds at hand, analyze the alerts and determine if they require immediate action or if they can be logged for later analysis.
    2. Questions to ask:
      1. What kind of response does this event warrant?
      2. How could we improve our event management process?
      3. What event alerts would have helped us with root-cause analysis in the past?
    3. Record the results in the Event Management Catalog.

    Public Website Example

    Outcome Metrics Threshold Response (s)
    Network Performance Latency 150ms Problem Management Tag to Problem Ticket 1701
    Web Page Performance DOM Load time 1100ms Change Management

    Download the Event Management Catalog

    Input

    • List of events generated by event management

    Output

    • Action plan for various events as they occur

    Materials

    • Whiteboard/flip charts
    • Pens
    • Paper

    Participants

    • Event Management Team
    • Infrastructure Team
    • Change Manager
    • Problem Manager
    • Incident Manager

    2.3.2 Build your event management workflow

    1. As a group, discuss your high-level monitoring, alerting, and actioning processes.
    2. Define handoff processes to incident, problem, and change management. If necessary, open your incident, problem, and change workflows and discuss how the event can further pass onto those practices. Discuss the examples below:
      • Incident Management: Who is responsible for opening the incident ticket? Can the incident ticket be automated and templated?
      • Change Management: Who is responsible for opening an RFC? Who will approve the RFC? Can it be a pre-approved change?
      • Problem Management : Who is responsible for opening the problem ticket? How can the event data be useful in the problem management process?
    3. Use and modify the example workflow as needed by downloading the Event Management Workflow.

    Example Workflow:

    This is an image of an example Event Management Workflow

    Download the Event Management Workflow

    Common datapoints to capture for each event

    Data captured will help related service management practices in different ways. Consider what you will need to record for each event.

    • Think of the practice you will be handing the event to. For example, if you’re handing the event off to incident or problem management, data captured will have to help in root-cause analysis to find and execute the right solution. If you’re passing the event off to change management, you may need information to capture the rationale of the change.
    • Knowing the driver for the data can help you define the right data captured for every event.
    • Consider the data points below for your events:

    Data Fields

    Device

    Date/time

    Component

    Parameters in exception

    Type of failure

    Value

    Download the Event Management Catalog

    Start Monitoring and Implement Event Management

    Phase 1Phase 2Phase 3

    1.1 Set Operational and Informational Goals
    1.2 Scope Monitoring and Event Management Using Business Impact

    2.1 Define Conditions and Related CIs
    2.2 Set Monitoring Thresholds and Alerts
    2.3 Action Your Events

    3.1 Define Your Data Policy
    3.2 Set Your Future of Event Monitoring

    Engineer Your Event Management Process

    This phase will walk you through the following activities:

    3.1.1 Define data policy needs

    3.2.1 Build your roadmap

    This phase involves the following participants:

    Business system owners

    Infrastructure manager

    IT managers

    Step 3.1

    Define Your Data Policy

    Activities

    3.1.1 Define data policy needs

    Start Monitoring and Implement Event Management

    This step will walk you through the following activities:

    Your overall goals from Phase 1 will help define your data retention needs. Document these policy statements in a data policy.

    This step involves the following participants:

    CIO

    Infrastructure manager

    IT managers

    Service desk manager

    Outcomes of this step

    Data retention policy statements for event management

    Know the difference between logs and metrics

    Logs

    Metrics

    A log is a complete record of events from a period:

    • Structured
    • Binary
    • Plaintext
    Missing entries in logs can be just as telling as the values existing in other entries. A metric is a numeric value that gives information about a system, generally over a time series. Adjusting the time series allows different views of the data.

    Logs are generally internal constructs to a system:

    • Applications
    • DB replications
    • Firewalls
    • SaaS services

    Completeness and context make logs excellent for:

    • Auditing
    • Analytics
    • Real-time and outlier analysis
    As a time series, metrics operate predictably and consistently regardless of system activity.

    This independence makes them ideal for:

    • Alerts
    • Dashboards
    • Profiling

    Large amounts of log data can make it difficult to:

    • Store
    • Transmit
    • Sift
    • Sort

    Context insensitivity means we can apply the same metric to dissimilar systems:

    • This is especially important for blackbox systems not fully under local control.

    Understand your data requirements

    Amount of event data logged by a 1000 user enterprise averages 113GB/day

    Source: SolarWinds

    Security Logs may contain sensitive information. Best practice is to ensure logs are secure at rest and in transit. Tailor your security protocol to your compliance regulations (PCI, etc.).
    Architecture and Availability When production infrastructure goes down, logging tends to go down as well. Holes in your data stream make it much more difficult to determine root causes of incidents. An independent secondary architecture helps solve problems when your primary is offline. At the very least, system agents should be able to buffer data until the pipeline is back online.
    Performance Log data grows: organically with the rest of the enterprise and geometrically in the event of a major incident. Your infrastructure design needs to support peak loads to prevent it from being overwhelmed when you need it the most.
    Access Control Events have value for multiple process owners in your enterprise. You need to enable access but also ensure data consistency as each group performs their own analysis on the data.
    Retention Near-real time data is valuable operationally; historic data is valuable strategically. Find a balance between the two, keeping in mind your obligations under compliance frameworks (GDPR, etc.).

    3.1.1 Set your data policy for every event

    1. Given your event list in the Event Management Catalog, include the following information for each event:
      • Retention Period
      • Data Sensitivity
      • Data Rate
    2. Record the results in the Event Management Catalog.

    Public Website Example

    Metrics/Log Retention Period Data Sensitivity Data Rate
    Latency 150ms No
    Packet Loss 10% No
    Jitter >1ms No
    Response Time 750ms No
    HAProxy Log 7 days Yes 3GB/day
    DOM Load time 1100ms
    Page Load time 1200ms
    User Access 3 years Yes

    Download the Event Management Catalog

    Input

    • List of events generated by event management
    • List of compliance standards your organization adheres to

    Output

    • Data policy for every event monitored and actioned

    Materials

    • Whiteboard/flip charts
    • Pens
    • Paper

    Participants

    • Event management team
    • Infrastructure team

    Step 3.2

    Set Your Future of Event Monitoring

    Activities

    3.2.1 Build your roadmap

    Start Monitoring and Implement Event Management

    This step will walk you through the following activities:

    Event management maturity is slowly built over time. Define your future actions in a roadmap to stay on track.

    This step involves the following participants:

    CIO

    Infrastructure manager

    IT managers

    Outcomes of this step

    Event management roadmap and action items

    Practice makes perfect

    For every event that generates an alert, you want to judge the predictive power of said event.

    Engineer your event management practice to be predictive. For example:

    • Up/Down Alert – Expected Consequence: Service desk will start working on the incident ticket before a user reports that said system has gone down.
    • SysVol Capacity Alert – Expected Consequence: Change will be made to free up space on the volume prior to the system crashing.

    If the expected consequence is not observed there are three places to look:

    1. Was the alert received by the right person?
    2. Was the alert received in enough time to do something?
    3. Did the event triggering the alert have a causative relationship with the consequence?

    While impractical to look at every action resulting from an alert, a regular review process will help improve your process. Effective alerts are crafted with specific and measurable outcomes.

    Info-Tech Insight

    False positives are worse than missed positives as they undermine confidence in the entire process from stakeholders and operators. If you need a starting point, action your false positives first.

    Mind Your Event Management Errors

    Two Donut charts are depicted. The first has a slice which is labeled 7% False Positive. The Second has a slice which is labeled 33% False Negative.

    Source: IEEE Communications Magazine March 2012

    Follow the Cookbook for every event you start tracking

    Consider building event management into new, onboarded systems as well.

    You now have several core systems, their CIs, conditions, and their related events listed in the Event Catalog. Keep the Catalog as your single reference point to help manage your tracked events across multiple tools.

    The Event Management Cookbook is designed to be used over and over. Keep your tracked events standard by running through the steps in the Cookbook.

    An additional step you could take is to pull the Cookbook out for event tracking for each new system added to your IT environment. Adding events in the Catalog during application onboarding is a good way to manage and measure configuration.

    Event Management Cookbook

    This is a screenshot of the Event Management Cookbook

    Use the framework in the Event Management Cookbook to populate your event catalog with properly tracked and actioned events.

    3.2.1 Build an event management roadmap

    Increase your event management maturity over time by documenting your goals.

    Add the following in-scope goals for future improvement. Include owner, timeline, progress, and priority.

    • Add additional systems/applications/services to event management
    • Expand condition lists for given systems
    • Consolidate tracking tools for easier data analysis and actioning
    • Integrate event management with additional service management practices

    This image contains a screenshot of a sample Event Management Roadmap

    Summary of Accomplishment

    Problem Solved

    You now have a structured event management process with a start on a properly tracked and actioned event catalog. This will help you detect incidents before they become incidents, changes needed to the IT environment, and problems before they spread.

    Continue to use the Event Management Cookbook to add new monitored events to your Event Catalog. This ensures future events will be held to the same or better standard, which allows you to avoid drowning in too much data.

    Lastly, stay on track and continually mature your event management practice using your Event Management Roadmap.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    Contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    This is an example of a RACI Chart for Event Management

    Build a RACI Chart for Event Management

    Define and document the roles and responsibilities in event management.

    This is an example of a business impact chart

    Set Your Scope Using Business Impact

    Define and prioritize in-scope systems and services for event management.

    Related Info-Tech Research

    Standardize the Service Desk

    Improve customer service by driving consistency in your support approach and meeting SLAs.

    Improve Incident and Problem Management

    Don’t let persistent problems govern your department

    Harness Configuration Management Superpowers

    Build a service configuration management practice around the IT services that are most important to the organization.

    Select Bibliography

    DeMattia, Adam. “Assessing the Financial Impact of HPE InfoSight Predictive Analytics.” ESG, Softchoice, Sept. 2017. Web.

    Hale, Brad. “Estimating Log Generation for Security Information Event and Log Management.” SolarWinds, n.d. Web.

    Ho, Cheng-Yuan, et al. “Statistical Analysis of False Positives and False Negatives from Real Traffic with Intrusion Detection/Prevention Systems.” IEEE Communications Magazine, vol. 50, no. 3, 2012, pp. 146-154.

    ITIL Foundation ITIL 4 Edition = ITIL 4. The Stationery Office, 2019.

    McGillicuddy, Shamus. “EMA: Network Management Megatrends 2016.” Riverbed, April 2016. Web.

    McGillicuddy, Shamus. “Network Management Megatrends 2020.” Enterprise Management Associates, APCON, 2020. Web.

    Rivas, Genesis. “Event Management: Everything You Need to Know about This ITIL Process.” GB Advisors, 22 Feb. 2021. Web.

    “Service Operations Processes.” ITIL Version 3 Chapters, 21 May 2010. Web.

    Optimize the Service Desk With a Shift-Left Strategy

    • Buy Link or Shortcode: {j2store}478|cart{/j2store}
    • member rating overall impact (scale of 10): 9.4/10 Overall Impact
    • member rating average dollars saved: $21,171 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Tier 2 and 3 specialists lose time and resources working on tickets instead of more complex projects.
    • The service desk finds themselves resolving the same incidents over and over, wasting manual work on tasks that could be automated.
    • Employees expect modern, consumer-like experiences when they need help; they want to access information and resources from wherever they are and have the tools to solve their problems themselves without waiting for help.

    Our Advice

    Critical Insight

    • It can be difficult to overcome the mindset that difficult functions need to be escalated. Shift left involves a cultural change to the way the service desk works, and overcoming objections and getting buy-in up front is critical.
    • Many organizations have built a great knowledgebase but fail to see the value of it over time as it becomes overburdened with overlapping and out-of-date information. Knowledge capture, updating, and review must be embedded into your processes if you want to keep the knowledgebase useful.
    • Similarly, the self-service portal is often deployed out of the box with little input from end users and fails to deliver its intended benefits. The portal needs to be designed from the end user’s point of view with the goal of self-resolution if it will serve its purpose of deflecting tickets.

    Impact and Result

    • Embrace a shift-left strategy by moving repeatable service desk tasks and requests into lower-cost delivery channels such as self-help tools and automation.
    • Shift work from Tier 2 and 3 support to Tier 1 through good knowledge management practices that empower the first level of support with documented solutions to recurring issues and free up more specialized resources for project work and higher value tasks.
    • Shift knowledge from the service desk to the end user by enabling them to find their own solutions. A well-designed and implemented self-service portal will result in fewer logged tickets to the service desk and empowered, satisfied end users.
    • Shift away manual repetitive work through the use of AI and automation.
    • Successfully shifting this work left can reduce time to resolve, decrease support costs, and increase end-user satisfaction.

    Optimize the Service Desk With a Shift-Left Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to understand why a shift-left strategy can help to optimize your service desk, review Info-Tech's methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare to shift left

    Assess whether you’re ready to optimize the service desk with a shift-left strategy, get buy-in for the initiative, and define metrics to measure success.

    • Optimize the Service Desk With a Shift-Left Strategy – Phase 1: Prepare to Shift Left
    • Shift-Left Prerequisites Assessment
    • Shift-Left Strategy
    • Shift-Left Stakeholder Buy-In Presentation

    2. Design shift-left model

    Build strategy and identify specific opportunities to shift service support left to Level 1 through knowledge sharing and other methods, to the end-user through self-service, and to automation and AI.

    • Optimize the Service Desk With a Shift-Left Strategy – Phase 2: Design Shift Left Model
    • Shift-Left Action Plan
    • Knowledge Management Workflows (Visio)
    • Knowledge Management Workflows (PDF)
    • Self-Service Portal Checklist
    • Self-Service Resolution Workflow (Visio)
    • Self-Service Resolution Workflow (PDF)

    3. Implement and communicate

    Identify, track, and implement specific shift-left opportunities and document a communications plan to increase adoption.

    • Optimize the Service Desk With a Shift-Left Strategy – Phase 3: Implement & Communicate
    • Incident Management Workflow (Visio)
    • Incident Management Workflow (PDF)
    [infographic]

    Workshop: Optimize the Service Desk With a Shift-Left Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Prepare to Shift Left

    The Purpose

    Define how shift left would apply in your organization, get buy-in for the initiative, and define metrics to measure success.

    Key Benefits Achieved

    Defined scope and objectives for the shift-left initiative

    Buy-in for the program

    Metrics to keep the project on track and evaluate success

    Activities

    1.1 Review current service desk structure

    1.2 Discuss challenges

    1.3 Review shift-left model and discuss how it would apply in your organization

    1.4 Complete the Shift-Left Prerequisites Assessment

    1.5 Complete a RACI chart for the project

    1.6 Define and document objectives

    1.7 Review the stakeholder buy-in presentation

    1.8 Document critical success factors

    1.9 Define KPIs and metrics

    Outputs

    Shift-left scope

    Completed shift-left prerequisites assessment

    RACI chart

    Defined objectives

    Stakeholder buy-in presentation

    Critical success factors

    Metrics to measure success

    2 Plan to Shift to Level 1

    The Purpose

    Build strategy and identify specific opportunities to shift service support left to Level 1 through knowledge sharing and other methods.

    Key Benefits Achieved

    Identified initiatives to shift work to Level 1

    Documented knowledge management process workflows and strategy

    Activities

    2.1 Identify barriers to Level 1 resolution

    2.2 Discuss knowledgebase challenges and areas for improvement

    2.3 Optimize KB input process

    2.4 Optimize KB usage process

    2.5 Optimize KB review process

    2.6 Discuss and document KCS strategy and roles

    2.7 Document knowledge success metrics

    2.8 Brainstorm additional methods of increasing FLR

    Outputs

    KB input workflow

    KB usage workflow

    KB review workflow

    KCS strategy and roles

    Knowledge management metrics

    Identified opportunities to shift to Level 1

    3 Plan to Shift to End User and Automation

    The Purpose

    Build strategy and identify specific opportunities to shift service support left to the end user through self-service and to automation and AI.

    Key Benefits Achieved

    Identified initiatives to shift work to self-service and automation

    Evaluation of self-service portal and identified opportunities for improvement

    Activities

    3.1 Review existing self-service portal and discuss vision

    3.2 Identify opportunities to improve portal accessibility, UI, and features

    3.3 Evaluate the user-facing knowledgebase

    3.4 Optimize the ticket intake form

    3.5 Document plan to improve, communicate, and evaluate portal

    3.6 Map the user experience with a workflow

    3.7 Document your AI strategy

    3.8 Identify candidates for automation

    Outputs

    Identified opportunities to improve portal

    Improvements to knowledgebase

    Improved ticket intake form

    Strategy to communicate and measure success of portal

    Self-service resolution workflow

    Strategy to apply AI and automation

    Identified opportunities to shift tasks to automation

    4 Build Implementation and Communication Plan

    The Purpose

    Build an action plan to implement shift left, including a communications strategy.

    Key Benefits Achieved

    Action plan to track and implement shift-left opportunities

    Communications plan to increase adoption

    Activities

    4.1 Examine process workflows for shift-left opportunities

    4.2 Document shift-left-specific responsibilities for each role

    4.3 Identify and track shift-left opportunities in the action plan

    4.4 Brainstorm objections and responses

    4.5 Document communications plan

    Outputs

    Incident management workflow with shift-left opportunities

    Shift left responsibilities for key roles

    Shift-left action plan

    Objection handling responses

    Communications plan

    Cost-Reduction Planning for IT Vendors

    • Buy Link or Shortcode: {j2store}73|cart{/j2store}
    • member rating overall impact (scale of 10): 8.0/10 Overall Impact
    • member rating average dollars saved: $12,733 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Cost & Budget Management
    • Parent Category Link: /cost-and-budget-management
    • Unprecedented health and economic conditions are putting extreme pressure and controls on expense management.
    • IT needs to implement proactive measures to reduce costs with immediate results.
    • IT must sustain these reductions beyond the near term since no one knows how long the current conditions will last.

    Our Advice

    Critical Insight

    • Proactively initiating a “War on Waste” (WoW) to reduce the expenses and costs in areas that do not impact operational capabilities of IT is an easy way to reduce IT expenditures.
    • This is accomplished by following the principle “Stop Doing Stupid Stuff” (SDSS), which many organizations deemphasize or overlook during times of growth and prosperity.
    • Initiating a WoW and SDSS program with passion, creativity, and urgency will deliver short-term cost reductions.

    Impact and Result

    • Pinpoint and implement tactical countermeasures and savings opportunities to reduce costs immediately (Reactive: <3 months).
    • Identify and deploy proven practices to capture and sustain expense reduction throughout the mid-term (Proactive: 3-12months).
    • Create a long-term strategy to improve flexibility, make changes more swiftly, and quickly generate cost-cutting opportunities (Strategic: >12 months).
    • Use Info-Tech’s 4 R’s Framework (Required, Removed, Rescheduled, and Reduced) and guiding principles to develop your cost-reduction roadmap.

    Cost-Reduction Planning for IT Vendors Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Start here – read the Storyboard

    Read our concise Executive Brief to find out how you can reduce your IT cost in the short term while establishing a foundation for long-term sustainment of IT cost containment.

    • Cost-Reduction Planning for IT Vendors Storyboard
    • Cost-Cutting Classification and Prioritization Tool
    [infographic]

    Avoid Project Management Pitfalls

    • Buy Link or Shortcode: {j2store}374|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Program & Project Management
    • Parent Category Link: /program-and-project-management
    • IT organizations seem to do everything in projects, yet fewer than 15% successfully complete all deliverables on time and on budget.
    • Project managers seem to succumb to the relentless pressure from stakeholders to deliver more, more quickly, with fewer resources, and with less support than is ideal.
    • To achieve greater likelihood that your project will stay on track, watch out for the four big pitfalls: scope creep, failure to obtain stakeholder commitment, inability to assemble a team, and failure to plan.

    Our Advice

    Critical Insight

    • While many project managers worry about proper planning as the key to project success, skilled management of the political factors around a project has a much greater impact on success.
    • Alone, combating scope creep can improve your likelihood of success by a factor of 2x.
    • A strong project sponsor will be key to fighting the inevitable battles to control scope and obtain resources.

    Impact and Result

    • Take steps to avoid falling into common project pitfalls.
    • Assess which pitfalls threaten your project in its current state and take appropriate steps to avoid falling into them.
    • Avoiding pitfalls will allow you to deliver value on time and on budget, creating the perception of success in users’ and managers’ eyes.

    Avoid Project Management Pitfalls Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Learn about common PM pitfalls and the strategies to avoid them

    Consistently meet project goals through enhanced PM knowledge and awareness.

    • Storyboard: Avoid Project Management Pitfalls
    • None

    2. Detect project pitfalls

    Take action and mitigate a pitfall before it becomes a problem.

    • Project Pitfall Detection & Mitigation Tool

    3. Document and report PM issues

    Learn from issues encountered to help map PM strategies for future projects.

    • Project Management Pitfalls Issue Log
    [infographic]

    Learn the right way to manage metrics

    • Parent Category Name: Improve Your Processes
    • Parent Category Link: /improve-your-processes

    Learn to use metrics in the right way. Avoid staff (subconciously) gaming the numbers, as it is only natural to try to achieve the objective. This is really a case of be careful what you wish for, you may just get it.

    Register to read more …

    Develop a Security Awareness and Training Program That Empowers End Users

    • Buy Link or Shortcode: {j2store}370|cart{/j2store}
    • member rating overall impact (scale of 10): 9.4/10 Overall Impact
    • member rating average dollars saved: $12,075 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • The fast evolution of the cybersecurity landscape requires security training and awareness programs that are frequently updated and improved.
    • Security and awareness training programs often fail to engage end users. Lack of engagement can lead to low levels of knowledge retention.
    • Irrelevant or outdated training content does not properly prepare your end users to effectively defend the organization against security threats.

    Our Advice

    Critical Insight

    • One-time, annual training is no longer sufficient for creating an effective security awareness and training program.
    • By presenting security as a personal and individualized issue, you can make this new personal focus a driver for your organizational security awareness and training program.

    Impact and Result

    • Create a training program that delivers smaller amounts of information on a more frequent basis to minimize effort, reduce end-user training fatigue, and improve content relevance.
    • Evaluate and improve your security awareness and training program continuously to keep its content up-to-date. Leverage end-user feedback to ensure content remains relevant to those who receive it.

    Develop a Security Awareness and Training Program That Empowers End Users Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop a security awareness and training program that empowers end users, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop your training program

    Create or mature a security awareness and training program that is tailored to your organization.

    • Develop a Security Awareness and Training Program That Empowers End Users – Phase 1: Develop Your Training Program
    • Security Awareness and Training Program Development Tool
    • End-User Security Job Description Template
    • Training Materials – Physical Computer Security
    • Training Materials – Cyber Attacks
    • Training Materials – Incident Response
    • Training Materials – Mobile Security
    • Training Materials – Passwords
    • Training Materials – Phishing
    • Training Materials – Social Engineering
    • Training Materials – Web Usage
    • Security Awareness and Training Vendor Evaluation Tool
    • Security Awareness and Training Metrics Tool
    • End-User Security Knowledge Test Template
    • Security Training Campaign Development Tool

    2. Design an effective training delivery plan

    Explore methods of training delivery and select the most effective solutions.

    • Develop a Security Awareness and Training Program That Empowers End Users – Phase 2: Design an Effective Training Delivery Plan
    • Information Security Awareness and Training Policy
    • Security Awareness and Training Gamification Guide
    • Mock Spear Phishing Email Examples
    • Security Training Email Templates
    • Security Awareness and Training Module Builder and Training Schedule
    • Security Training Campaign Development Tool
    • Security Training Program Manual
    • Security Awareness and Training Feedback Template
    • Security Awareness Month Week 1: Staying in Touch
    • Security Awareness Month Week 2: Sharing Special Moments
    • Security Awareness Month Week 3: Working and Networking
    • Security Awareness Month Week 4: Families and Businesses
    [infographic]

    Workshop: Develop a Security Awareness and Training Program That Empowers End Users

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Outline the Plan for Long-term Program Improvement

    The Purpose

    Identify the maturity level of the existing security awareness and training program and set development goals.

    Establish program milestones and outline key initiatives for program development.

    Identify metrics to measure program effectiveness.

    Key Benefits Achieved

    Identified the gaps between the current maturity level of the security awareness and training program and future target states.

    Activities

    1.1 Create a program development plan.

    1.2 Investigate and select metrics to measure program effectiveness.

    1.3 Execute some low-hanging fruit initiatives for collecting metrics: e.g. create a knowledge test, feedback survey, or gamification guide.

    Outputs

    Customized development plan for program.

    Tool for tracking metrics.

    Customized knowledge quiz ready for distribution.

    Customized feedback survey for training.

    Gamification program outline.

    2 Identify and Assess Audience Groups and Security Training Topics

    The Purpose

    Determine the unique audience groups within your organization and evaluate their risks and vulnerabilities.

    Prioritize training topics and audience groups to effectively streamline program development.

    Key Benefits Achieved

    Created a comprehensive list of unique audience groups and the corresponding security training that each group should receive.

    Determined priority ratings for both audience groups and the security topics to be delivered.

    Activities

    2.1 Identify the unique audience groups within your organization and the threats they face.

    2.2 Determine the priority levels of the current security topics.

    2.3 Review audience groups and determine which topics need to be delivered to each group.

    Outputs

    Risk profile for each identified audience group.

    Priority scores for all training topics.

    List of relevant security topics for each identified audience group.

    3 Plan the Training Delivery

    The Purpose

    Identify all feasible delivery channels for security training within your organization.

    Build a vendor evaluation tool and shortlist or harvest materials for in-house content creation.

    Key Benefits Achieved

    List of all potential delivery mechanisms for security awareness and training.

    Built a vendor evaluation tool and discussed a vendor shortlist.

    Harvested a collection of free online materials for in-house training development.

    Activities

    3.1 Discuss potential delivery mechanisms for training, including the purchase and use of a vendor.

    3.2 If selecting a vendor, review vendor selection criteria and discuss potential vendor options.

    3.3 If creating content in-house, review and select available resources on the web.

    Outputs

    List of available delivery mechanisms for training.

    Vendor assessment tool and shortlist.

    Customized security training presentations.

    4 Create a Training Schedule for Content Deployment

    The Purpose

    Create a plan for deploying a pilot program to gather valuable feedback.

    Create an ongoing training schedule.

    Define the end users’ responsibilities towards security within the organization.

    Key Benefits Achieved

    Created a plan to deploy a pilot program.

    Created a schedule for training deployment.

    Defined role of end users in helping protect the organization against security threats.

    Activities

    4.1 Build training modules.

    4.2 Create an ongoing training schedule.

    4.3 Define and document your end users’ responsibilities towards their security.

    Outputs

    Documented modular structure to training content.

    Training schedule.

    Security job description template.

    End-user training policy.

    COVID-19 Work Status Tracking Guide

    • Buy Link or Shortcode: {j2store}594|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Manage & Coach
    • Parent Category Link: /manage-coach
    • Keeping track of the multiple and frequently changing work arrangements on your team.
    • Ensuring you have a fast and easy way to keep an up-to-date record of where and how employees are working.

    Our Advice

    Critical Insight

    • During these critical times, keeping track of employees’ work status doesn’t have to be complicated – the right tool is one that does the job.
    • Keeping track of your employees is a health and safety issue – deployed well, it is an aid in keeping the business running and an additional communication channel, not a sign of lack of trust.

    Impact and Result

    • An Excel spreadsheet is all you need to ensure you have a way to record work arrangements that can change by the day.
    • An easy-to-use tool means minimal administrative overhead to ensuring you have this critical information at hand.

    COVID-19 Work Status Tracking Guide Research & Tools

    Start here – read the Work Status Tracking Guide

    Read our recommendations and use the accompanying tool to quickly get a handle on your team’s work arrangements.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • COVID-19 Work Status Tracking Guide Storyboard
    • COVID-19 Work Status Tracking Tool
    [infographic]

    Build an IT Risk Taxonomy

    • Buy Link or Shortcode: {j2store}197|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • Business leaders, driven by the need to make more risk-informed decisions, are putting pressure on IT to provide more timely and consistent risk reporting.
    • IT risk managers need to balance the emerging threat landscape with not losing sight of the risks of today.
    • IT needs to strengthen IT controls and anticipate risks in an age of disruption.

    Our Advice

    Critical Insight

    A common understanding of risks, threats, and opportunities gives organizations the flexibility and agility to adapt to changing business conditions and drive corporate value.

    Impact and Result

    • Use this blueprint as a baseline to build a customized IT risk taxonomy suitable for your organization.
    • Learn about the role and drivers of integrated risk management and the benefits it brings to enterprise decision-makers.
    • Discover how to set up your organization up for success by understanding how risk management links to organizational strategy and corporate performance.

    Build an IT Risk Taxonomy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build an IT Risk Taxonomy – Develop a common approach to managing risks to enable faster, more effective decision making.

    Learn how to develop an IT risk taxonomy that will remain relevant over time while providing the granularity and clarity needed to make more effective risk-based decisions.

    • Build an IT Risk Taxonomy – Phases 1-3

    2. Build an IT Risk Taxonomy Guideline and Template – A set of tools to customize and design an IT risk taxonomy suitable for your organization.

    Leverage these tools as a starting point to develop risk levels and definitions appropriate to your organization. Take a collaborative approach when developing your IT risk taxonomy to gain greater acceptance and understanding of accountability.

    • IT Risk Taxonomy Committee Charter Template
    • Build an IT Risk Taxonomy Guideline
    • Build an IT Risk Taxonomy Definitions
    • Build an IT Risk Taxonomy Design Template

    3. IT Risk Taxonomy Workbook – A place to complete activities and document decisions that may need to be communicated.

    Use this workbook to document outcomes of activities and brainstorming sessions.

    • Build an IT Risk Taxonomy Workbook

    4. IT Risk Register – An internal control tool used to manage IT risks. Risk levels archived in this tool are instrumental to achieving an integrated and holistic view of risks across an organization.

    Leverage this tool to document risk levels, risk events, and controls. Smaller organizations can leverage this tool for risk management while larger organizations may find this tool useful to structure and define risks prior to using a risk management software tool.

    • Risk Register Tool

    Infographic

    Workshop: Build an IT Risk Taxonomy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Review IT Risk Fundamentals and Governance

    The Purpose

    Review IT risk fundamentals and governance.

    Key Benefits Achieved

    Learn how enterprise risk management and IT risk management intersect and the role the IT taxonomy plays in integrated risk management.

    Activities

    1.1 Discuss risk fundamentals and the benefits of integrated risk.

    1.2 Create a cross-functional IT taxonomy working group.

    Outputs

    IT Risk Taxonomy Committee Charter Template

    Build an IT Risk Taxonomy Workbook

    2 Identify Level 1 Risk Types

    The Purpose

    Identify suitable IT level 1 risk types.

    Key Benefits Achieved

    Level 1 IT risk types are determined and have been tested against ERM level one risk types.

    Activities

    2.1 Discuss corporate strategy, business risks, macro trends, and organizational opportunities and constraints.

    2.2 Establish level 1 risk types.

    2.3 Test soundness of IT level 1 types by mapping to ERM level 1 types.

    Outputs

    Build an IT Risk Taxonomy Workbook

    3 Identify Level 2 and Level 3 Risk Types

    The Purpose

    Define level 2 and level 3 risk types.

    Key Benefits Achieved

    Level 2 and level 3 risk types have been determined.

    Activities

    3.1 Establish level 2 risk types.

    3.2 Establish level 3 risk types (and level 4 if appropriate for your organization).

    3.3 Begin to test by working backward from controls to ensure risk events will aggregate consistently.

    Outputs

    Build an IT Risk Taxonomy Design Template

    Risk Register Tool

    4 Monitor, Report, and Respond to IT Risk

    The Purpose

    Test the robustness of your IT risk taxonomy by populating the risk register with risk events and controls.

    Key Benefits Achieved

    Your IT risk taxonomy has been tested and your risk register has been updated.

    Activities

    4.1 Continue to test robustness of taxonomy and iterate if necessary.

    4.2 Optional activity: Draft your IT risk appetite statements.

    4.3 Discuss communication and continual improvement plan.

    Outputs

    Build an IT Risk Taxonomy Design Template

    Risk Register Tool

    Build an IT Risk Taxonomy Workbook

    Further reading

    Build an IT Risk Taxonomy

    If integrated risk is your destination, your IT risk taxonomy is the road to get you there.

    Analyst Perspective

    Donna Bales.

    The pace and uncertainty of the current business environment introduce new and emerging vulnerabilities that can disrupt an organization’s strategy on short notice.

    Having a long-term view of risk while navigating the short term requires discipline and a robust and strategic approach to risk management.

    Managing emerging risks such as climate risk, the impact of digital disruption on internal technology, and the greater use of third parties will require IT leaders to be more disciplined in how they manage and communicate material risks to the enterprise.

    Establishing a hierarchical common language of IT risks through a taxonomy will facilitate true aggregation and integration of risks, enabling more effective decision making. This holistic, disciplined approach to risk management helps to promote a more sustainable risk culture across the organization while adding greater rigor at the IT control level.

    Donna Bales
    Principal Research Director
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    IT has several challenges when managing and responding to risk events:

    • Business leaders, driven by the need to make more risk-informed decisions, are putting pressure on IT to provide more timely and consistent risk reporting.
    • Navigating today’s ever-evolving threat landscape is complex. IT risk managers need to balance the emerging threat landscape while not losing sight of the risks of today.
    • IT needs to strengthen IT controls and anticipate risks in an age of disruption.

    Many IT organizations encounter obstacles in these areas:

    • Ensuring an integrated, well-coordinated approach to risk management across the organization.
    • Developing an IT risk taxonomy that will remain relevant over time while providing sufficient granularity and definitional clarity.
    • Gaining acceptance and ensuring understanding of accountability. Involving business leaders and a wide variety of risk owners when developing your IT risk taxonomy will lead to greater organizational acceptance.

    .

    • Take a collaborative approach when developing your IT risk taxonomy to gain greater acceptance and understanding of accountability.
    • Spend the time to fully analyze your current and future threat landscape when defining your level 1 IT risks and consider the causal impact and complex linkages and intersections.
    • Recognize that the threat landscape will continue to evolve and that your IT risk taxonomy is a living document that must be continually reviewed and strengthened.

    Info-Tech Insight

    A common understanding of risks, threats, and opportunities gives organizations the flexibility and agility to adapt to changing business conditions and drive corporate value.

    Increasing threat landscape

    The risk landscape is continually evolving, putting greater pressure on the risk function to work collaboratively throughout the organization to strengthen operational resilience and minimize strategic, financial, and reputational impact.

    Financial Impact

    Strategic Risk

    Reputation Risk

    In IBM’s 2021 Cost of a Data Breach Report, the Ponemon Institute found that data security breaches now cost companies $4.24 million per incident on average – the highest cost in the 17-year history of the report.

    58% percent of CROs who view inability to manage cyber risks as a top strategic risk.

    EY’s 2022 Global Bank Risk Management survey revealed that Chief Risk Officers (CROs) view the inability to manage cyber risk and the inability to manage cloud and data risk as the top strategic risks.

    Protiviti’s 2023 Executive Perspectives on Top Risks survey featured operational resilience within its top ten risks. An organization’s failure to be sufficiently resilient or agile in a crisis can significantly impact operations and reputation.

    Persistent and emerging threats

    Organizations should not underestimate the long-term impact on corporate performance if emerging risks are not fully understood, controlled, and embedded into decision-making.

    Talent Risk

    Sustainability

    Digital Disruption

    Protiviti’s 2023 Executive Perspectives on Top Risks survey revealed talent risk as the top risk organizations face, specifically organizations’ ability to attract and retain top talent. Of the 38 risks in the survey, it was the only risk issue rated at a “significant impact” level.

    Sustainability is at the top of the risk agenda for many organizations. In EY’s 2022 Global Bank Risk Management survey, environmental, social, and governance (ESG) risks were identified as a risk focus area, with 84% anticipating it to increase in priority over the next three years. Yet Info-Tech’s Tech Trends 2023 report revealed that only 24% of organizations could accurately report on their carbon footprint.

    Source: Info-Tech 2023 Tech Trends Report

    The risks related to digital disruption are vast and evolving. In the short term, risks surface in compliance and skills shortage, but Protiviti’s 2023 Executive Perspectives survey shows that in the longer term, executives are concerned that the speed of change and market forces may outpace an organization’s ability to compete.

    Build an IT risk taxonomy: As technology and digitization continue to advance, risk management practices must also mature. To strengthen operational and financial resiliency, it is essential that organizations move away from a siloed approach to IT risk management wart an integrated approach. Without a common IT risk taxonomy, effective risk assessment and aggregation at the enterprise level is not possible.

    Blueprint benefits

    IT Benefits

    Business Benefits

    • Simple, customizable approach to build an IT risk taxonomy
    • Improved satisfaction with IT for senior leadership and business units
    • Greater ability to respond to evolving threats
    • Improved understanding of IT’s role in enterprise risk management (ERM)
    • Stronger, more reliable internal control framework
    • Reduced operational surprises and failures
    • More dynamic decision making
    • More proactive risk responses
    • Improve transparency and comparability of risks across silos
    • Better financial resilience and confidence in meeting regulatory requirements
    • More relevant risk assurance for key stakeholders

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    IT Risk Taxonomy Committee Charter Template

    Create a cross-functional IT risk taxonomy committee.

    The image contains a screenshot of the IT risk taxonomy committee charter template.

    Build an IT Risk Taxonomy Guideline

    Use IT risk taxonomy as a baseline to build your organization’s approach.

    The image contains a screenshot of the build an it risk taxonomy guideline.

    Build an IT Risk Taxonomy Design Template

    Use this template to design and test your taxonomy.

    The image contains a screenshot of the build an IT risk taxonomy design template.

    Risk Register Tool

    Update your risk register with your IT risk taxonomy.

    The image contains a screenshot of the risk register tool.

    Key deliverable:

    Build an IT Risk Taxonomy Workbook

    Use the tools and activities in each phase of the blueprint to customize your IT risk taxonomy to suit your organization’s needs.

    The image contains a screenshot of the build an IT risk taxonomy workbook.

    Benefit from industry-leading best practices

    As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensures that our project-focused approach is grounded in industry-leading best practices for managing IT risk.

    COSO’s Enterprise Risk Management —Integrating with Strategy and Performance addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment.

    ISO 31000 – Risk Management can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment.

    COBIT 2019’s IT functions were used to develop and refine the ten IT risk categories used in our top-down risk identification methodology.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    Phase 1 Phase 2 Phase 3

    Call #1: Review risk management fundamentals.

    Call #2: Review the role of an IT risk taxonomy in risk management.

    Call #3: Establish a cross-functional team.

    Calls #4-5: Identify level 1 IT risk types. Test against enterprise risk management.

    Call #6: Identify level 2 and level 3 risk types.

    Call #7: Align risk events and controls to level 3 risk types and test.

    Call #8: Update your risk register and communicate taxonomy internally.

    A Guided Implementation (GI) is a series

    of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 8 calls over the course of 3 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5

    Review IT Risk Fundamentals and Governance

    Identify Level 1 IT Risk Types

    Identify Level 2 and Level 3 Risk Types

    Monitor, Report, and Respond to IT Risk

    Next Steps and
    Wrap-Up (offsite)

    Activities

    1.1 Discuss risk fundamentals and the benefits of integrated risk.

    1.2 Create a cross-functional IT taxonomy working group.

    2.1 Discuss corporate strategy, business risks, macro trends, and organizational opportunities and constraints.

    2.2 Establish level 1 risk types.

    2.3 Test soundness of IT level 1 types by mapping to ERM level 1 types.

    3.1 Establish level 2 risk types.

    3.2 Establish level 3 risk types (and level 4 if appropriate for your organization).

    3.3 Begin to test by working backward from controls to ensure risk events will aggregate consistently.

    4.1 Continue to test robustness of taxonomy and iterate if necessary.

    4.2 Optional activity: Draft your IT risk appetite statements.

    4.3 Discuss communication and continual improvement plan.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables
    1. T Risk Taxonomy Committee Charter Template
    2. Build an IT Risk Taxonomy Workbook
    1. Build an IT Risk Taxonomy Workbook
    1. IT Risk Taxonomy Design Template
    2. Risk Register
    1. IT Risk Taxonomy Design Template
    2. Risk Register
    3. Build an IT Risk Taxonomy Workbook
    1. Workshop Report

    Phase 1

    Understand Risk Management Fundamentals

    Phase 1

    Phase 2

    Phase 3

    • Governance, Risk, and Compliance
    • Enterprise Risk Management
    • Enterprise Risk Appetite
    • Risk Statements and Scenarios
    • What Is a Risk Taxonomy?
    • Functional Role of an IT Risk Taxonomy
    • Connection to Enterprise Risk Management
    • Establish Committee
    • Steps to Define IT Risk Taxonomy
    • Define Level 1
    • Test Level 1
    • Define Level 2 and 3
    • Test via Your Control Framework

    Governance, risk, and compliance (GRC)

    Risk management is one component of an organization’s GRC function.

    GRC principles are important tools to support enterprise management.

    Governance sets the guardrails to ensure that the enterprise is in alignment with standards, regulations, and board decisions. A governance framework will communicate rules and expectations throughout the organization and monitor adherence.

    Risk management is how the organization protects and creates enterprise value. It is an integral part of an organization’s processes and enables a structured decision-making approach.

    Compliance is the process of adhering to a set of guidelines; these could be external regulations and guidelines or internal corporate policies.

    GRC principles are tightly bound and continuous

    The image contains a screenshot of a continuous circle that is divided into three parts: risk, compliance, and governance.

    Enterprise risk management

    Regardless of size or structure, every organization makes strategic and operational decisions that expose it to uncertainties.

    Enterprise risk management (ERM) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio (RIMS).

    An ERM is program is crucial because it will:

    • Help shape business objectives, drive revenue growth, and execute risk-based decisions.
    • Enable a deeper understanding of risks and assessment of current risk profile.
    • Support forward-looking risk management and more constructive dialogue with the board and regulatory agencies.
    • Provide insight on the robustness and efficacy of risk management processes, tools, and controls.
    • Drive a positive risk culture.

    ERM is supported by strategy, effective processes, technology, and people

    The image contains a screenshot that demonstrates how ERM is supported by strategy, effective processes, technology, and people.

    Risk frameworks

    Risk frameworks are leveraged by the industry to “provide a structure and set of definitions to allow enterprises of all types and sizes to understand and better manage their risk environments.” COSO Enterprise Risk Management, 2nd edition

    • Many organizations lean on the Committee of Sponsoring Organizations’ Enterprise Risk Management framework (COSO ERM) and ISO 31000 to view organizational risks from an enterprise perspective.
    • Prior to the introduction of standardized risk frameworks, it was difficult to quantify the impact of a risk event on the entire enterprise, as the risk was viewed in a silo or as an individual risk component.
    • Recently, the National Institute of Science and Technology (NIST) published guidance on developing an enterprise risk management approach. The guidance helps to bridge the gap between best practices in enterprise risk management and processes and control techniques that cybersecurity professionals use to meet regulatory cybersecurity risk requirements.

    The image contains a screenshot of NIST ERM approach to strategic risk.

    Source: National Institute of Standards and Technology

    New NIST guidance (NISTIR 8286) emphasizes the complexity of risk management and the need for the risk management process to be carried out seamlessly across three tiers with the overall objective of continuous improvement.

    Enterprise risk appetite

    “The amount of risk an organization is willing to take in pursuit of its objectives”

    – Robert R. Moeller, COSO ERM Framework Model
    • A primary role of the board and senior management is to balance value creation with effectively management of enterprise risks.
    • As part of this role, the board will approve the enterprise’s risk appetite. Placing this responsibility with the board ensures that the risk appetite is aligned with the company’s strategic objectives.
    • The risk appetite is used throughout the organization to assess and respond to individual risks, acting as a constant to make sure that risks are managed within the organization’s acceptable limits.
    • Each year, or in reaction to a risk trigger, the enterprise risk appetite will be updated and approved by the board.
    • Risk appetite will vary across organizations for several reasons, such as industry, company culture, competitors, the nature of the objectives pursued, and financial strength.

    Change or new risks » adjust enterprise risk profile » adjust risk appetite

    Risk profile vs. risk appetite

    Risk profile is the broad parameters an organization considers in executing its business strategy. Risk appetite is the amount of risk an entity is willing to accept in pursuit of its strategic objectives. The risk appetite can be used to inform the risk profile or vice versa. Your organization’s risk culture informs and is used to communicate both.

    Risk Tolerant

    Moderate

    Risk Averse

    • You have no compliance requirements.
    • You have no sensitive data.
    • Customers do not expect you to have strong security controls.
    • Revenue generation and innovative products take priority and risk is acceptable.
    • The organization does not have remote locations.
    • It is likely that your organization does not operate within the following industries:
      • Finance
      • Healthcare
      • Telecom
      • Government
      • Research
      • Education
    • You have some compliance requirements, such as:
      • HIPAA
      • PIPEDA
    • You have sensitive data and are required to retain records.
    • Customers expect strong security controls.
    • Information security is visible to senior leadership.
    • The organization has some remote locations.
    • Your organization most likely operates within the following industries:
      • Government
      • Research
      • Education
    • You have multiple strict compliance and/or regulatory requirements.
    • You house sensitive data, such as medical records.
    • Customers expect your organization to maintain strong and current security controls.
    • Information security is highly visible to senior management and public investors.
    • The organization has multiple remote locations.
    • Your organization operates within the following industries:
      • Finance
      • Healthcare
      • Telecom

    Where the IT risk appetite fits into the risk program

    • Your organization’s strategy and associated risk appetite cascade down to each business department. Overall strategy and risk appetite also set a strategy and risk appetite for each department.
    • Both risk appetite and risk tolerances set boundaries for how much risk an organization is willing or prepared to take. However, while appetite is often broad, tolerance is tactical and focused.
    • Tolerances apply to specific objectives and provide guidance to those executing on a day-to-day basis. They measure the variation around performance expectations that the organization will tolerate.
    • Ideally, they are incorporated into existing governance, risk, and compliance systems and are also considered when evaluated business cases.
    • IT risk appetite statements are based on IT level 1 risk types.

    The risk appetite has a risk lens but is also closely linked to corporate performance.

    The image contains a screenshot of a diagram that demonstrates how risk appetite has a risk lens, and how it is linked to corporate performance.

    Statements of risk

    The image contains a screenshot of a diagram of the risk landscape.

    Risk Appetite

    Risk Tolerance

    • The general amount of risk an organization is willing to accept while pursuing its objectives.
    • Proactive, future view of risks that reflects the desired range of enterprise performance.
    • Reflects the longer-term strategy of what needs to be achieved and the resources available to achieve it, expressed in quantitative criteria.
    • Risk appetites will vary for several reasons, such as the company culture, financial strength, and capabilities.
    • Risk tolerance is the acceptable deviation from the level set by the risk appetite.
    • Risk tolerance is a tactical tool often expressed in quantitative terms.
    • Key risk indicators are often used to align to risk tolerance limits to ensure the organization stays within the set risk boundary.

    Risk scenarios

    Risk scenarios serve two main purposes: to help decision makers understand how adverse events can affect organizational strategy and objectives and to prepare a framework for risk analysis by clearly defining and decomposing the factors contributing to the frequency and the magnitude of adverse events.

    ISACA
    • Organizations’ pervasive use of and dependency on technology has increased the importance of scenario analysis to identify relevant and important risks and the potential impacts of risk events on the organization if the risk event were to occur.
    • Risk scenarios provide “what if” analysis through a structured approach, which can help to define controls and document assumptions.
    • They form a constructive narrative and help to communicate a story by bringing in business context.
    • For the best outcome, have input from business and IT stakeholders. However, in reality, risk scenarios are usually driven by IT through the asset management practice.
    • Once the scenarios are developed, they are used during the risk analysis phase, in which frequency and business impacts are estimated. They are also a useful tool to help the risk team (and IT) communicate and explain risks to various business stakeholders.

    Top-down approach – driven by the business by determining the business impact, i.e. what is the impact on my customers, reputation, and bottom line if the system that supports payment processing fails?

    Bottom-up approach – driven by IT by identifying critical assets and what harm could happen if they were to fail.

    Example risk scenario

    Use level 1 IT risks to derive potential scenarios.

    Risk Scenario Description

    Example: IT Risks

    Risk Scenario Title

    A brief description of the risk scenario

    The enterprise is unable to recruit and retain IT staff

    Risk Type

    The process or system that is impacted by the risk

    • Service quality
    • Product and service cost

    Risk Scenario Category

    Deeper insight into how the risk might impact business functions

    • Inadequate capacity to support business needs
    • Talent and skills gap due to inability to retain talent

    Risk Statement

    Used to communicate the potential adverse outcomes of a particular risk event and can be used to communicate to stakeholders to enable informed decisions

    The organization chronically fails to recruit sufficiently skilled IT workers, leading to a loss of efficiency in overall technology operation and an increased security exposure.

    Risk Owner

    The designated party responsible and accountable for ensuring that the risk is maintained in accordance with enterprise requirements

    • Head of Human Resources
    • Business Process Owner

    Risk Oversight

    The person (role) who is responsible for risk assessments, monitoring, documenting risk response, and establishing key risk indicators

    CRO/COO

    Phase 2

    Set Your Organization Up for Success

    Phase 1

    Phase 2

    Phase 3

    • Governance, Risk, and Compliance
    • Enterprise Risk Management
    • Enterprise Risk Appetite
    • Risk Statements and Scenarios
    • What Is a Risk Taxonomy?
    • Functional Role of an IT Risk Taxonomy
    • Connection to Enterprise Risk Management
    • Establish Committee
    • Steps to Define IT Risk Taxonomy
    • Define Level 1
    • Test Level 1
    • Define Level 2 and 3
    • Test via Your Control Framework

    This phase will walk you through the following activities:

    • How to set up a cross-functional IT risk taxonomy committee

    This phase involves the following participants:

    • CIO
    • CISO
    • CRO
    • IT Risk Owners
    • Business Leaders
    • Human Resources

    What is a risk taxonomy?

    A risk taxonomy provides a common risk view and enables integrated risk

    • A risk taxonomy is the (typically hierarchical) categorization of risk types. It is constructed out of a collection of risk types organized by a classification scheme.
    • Its purpose is to assist with the management of an organization’s risk by arranging risks in a classification scheme.
    • It provides foundational support across the risk management lifecycle in relation to each of the key risks.
    • More material risk categories form the root nodes of the taxonomy, and risk types cascade into more granular manifestations (child nodes).
    • From a risk management perspective, a taxonomy will:
      • Enable more effective risk aggregation and interoperability.
      • Provide the organization with a complete view of risks and how risks might be interconnected or concentrated.
      • Help organizations form a robust control framework.
      • Give risk managers a structure to manage risks proactively.

    Typical Tree Structure

    The image contains a screenshot of the Typical Tree Structure.

    What is integrated risk management?

    • Integrated risk management is the process of ensuring all forms of risk information, including risk related to information and technology, are considered and included in the organization’s risk management strategy.
    • It removes the siloed approach of classifying risks related to specific departments or areas of the organization, recognizing that each risk is a potential threat to the overarching enterprise.
    • By aggregating the different threats or uncertainty that might exist within an organization, integrated risk management enables more informed decisions to be made that align to strategic goals and continue to drive value back to the business.
    • By holistically considering the different risks, the organization can make informed decisions on the best course of action that will reduce any negative impacts associated with the uncertainty and increase the overall value.

    The image contains a screenshot of the ERM.

    Integrated risk management: A strategic and collaborative way to manage risks across the organization. It is a forward-looking, business-specific outlook with the objective of improving risk visibility and culture.

    Drivers and benefits of integrated risk

    Drivers for Integrated Risk Management

    • Business shift to digital experiences
    • The breadth and number of risks requiring oversight
    • The need for faster risk analysis and decision making

    Benefits of Integrated Risk Management

    • Enables better scenario planning
    • Enables more proactive risk responses
    • Provides more relevant risk assurance to key stakeholders
    • Improves transparency and comparability of risks across organizational silos
    • Supports better financial resilience

    Business velocity and complexity are making real-time risk management a business necessity.

    If integrated risk is the destination, your taxonomy is your road to get you there

    Info-Tech’s Model for Integrated Risk

    The image contains a screenshot of Info-Tech's Model for Integrated Risk.

    How the risk practices intersect

    The risk taxonomy provides a common classification of risks that allows risks to roll up systematically to enterprise risk, enabling more effective risk responses and more informed decision making.

    The image contains a screenshot of a diagram that demonstrates how the risk practices intersect.

    ERM taxonomy

    Relative to the base event types, overall there is an increase in the number of level 1 risk types in risk taxonomies

    Oliver Wyman
    • The changing risk profile of organizations and regulatory focus in some industries is pushing organizations to rethink their risk taxonomies.
    • Generally, the expansion of level 1 risk types is due to the increase in risk themes under the operational risk umbrella.
    • Non-financial risks are risks that are not considered to be traditional financial risks, such as operational risk, technology risk, culture, and conduct. Environmental, social, and governance (ESG) risk is often referred to as a non-financial risk, although it can have both financial and non-financial implications.
    • Certain level 1 ERM risks, such as strategic risk, reputational risk, and ESG risk, cover both financial and non-financial risks.

    The image contains a screenshot of a diagram of the Traditional ERM Structure.

    Operational resilience

    • The concept of operational resiliency was first introduced by European Central Bank (ECB) in 2018 as an attempt to corral supervisory cooperation on operational resiliency in financial services.
    • The necessity for stronger operational resiliency became clear during the early stages of COVID-19 when many organizations were not prepared for disruption, leading to serious concern for the safety and soundness of the financial system.
    • It has gained traction and is now defined in global supervisory guidance. Canada’s prudential regulator, Office of the Superintendent of Financial Institutions (OSFI), defines it as “the ability of a financial institution to deliver its operations, including its critical operations, through disruption.”
    • Practically, its purpose is to knit together several operational risk management categories such as business continuity, security, and third-party risk.
    • The concept has been adopted by information and communication technology (ICT) companies, as technology and cyber risks sit neatly under this risk type.
    • It is now not uncommon to see operational resiliency as a level 1 risk type in a financial institution’s ERM framework.

    Operational resilience will often feature in ERM frameworks in organizations that deliver critical services, products, or functions, such as financial services

    Operational Resilience.

    ERM level 1 risk categories

    Although many organizations have expanded their enterprise risk management taxonomies to address new threats, most organizations will have the following level 1 risk types:

    ERM Level 1

    Definition

    Definition Source

    Financial

    The ability to obtain sufficient and timely funding capacity.

    Global Association of Risk Professionals (GARP)

    Non-Financial

    Non-financial risks are risks that are not considered to be traditional financial risks such as operational risk, technology risk, culture and conduct.

    Office of the Superintendent of Financial Institutions (OSFI)

    Reputational

    Potential negative publicity regarding business practices regardless of validity.

    US Federal Reserve

    Global Association of Risk Professionals (GARP)

    Strategic

    Risk of unsuccessful business performance due to internal or external uncertainties, whether the event is event or trend driven. Actions or events that adversely impact an organizations strategies and/or implementation of its strategies.

    The Risk Management Society (RIMS)

    Sustainability (ESG)

    This risk of any negative financial or reputational impact on an organizations stemming from current or prospective impacts of ESG factors on its counterparties or invested assets.

    Open Risk Manual

    Info-Tech Research Group

    Talent and Risk Culture

    The widespread behaviors and mindsets that can threaten sound decision-making, prudent risk-taking, and effective risk management and can weaken an institution’s financial and operational resilience.

    Info-Tech Research Group

    Different models of ERM

    Some large organizations will elevate certain operational risks to level 1 organizational risks due to risk materiality.

    Every organization will approach its risk management taxonomy differently; the number of level 1 risk types will vary and depend highly on perceived impact.

    Some of the reasons why an organization would elevate a risk to a level 1 ERM risk are:

    • The risk has significant impact on the organization's strategy, reputation, or financial performance.
    • The regulator has explicitly called out board oversight within legislation.
    • It is best practice in the organization’s industry or business sector.
    • The organization has structured its operations around a particular risk theme due to its potential negative impact. For example, the organization may have a dedicated department for data privacy.

    Level 1

    Potential Rationale

    Industries

    Risk Definition

    Advanced Analytics

    Use of advanced analytics is considered material

    Large Enterprise, Marketing

    Risks involved with model risk and emerging risks posed by artificial intelligence/machine learning.

    Anti-Money Laundering (AML) and Fraud

    Risk is viewed as material

    Financial Services, Gaming, Real Estate

    The risk of exposure to financial crime and fraud.

    Conduct Risk

    Sector-specific risk type

    Financial Services

    The current or prospective risk of losses to an institution arising from inappropriate supply of financial services including cases of willful or negligent misconduct.

    Operational Resiliency

    Sector-specific risk type

    Financial Services, ICT

    Organizational risk resulting from an organization’s failure to deliver its operations, including its critical operations, through disruption.

    Privacy

    Board driven – perceived as material risk to organization

    Healthcare, Financial Services

    The potential loss of control over personal information.

    Information Security

    Board driven – regulatory focus

    All may consider

    The people, processes, and technology involved in protecting data (information) in any form – whether digital or on paper – through its creation, storage, transmission, exchange, and destruction.

    Risk and impact

    Mapping risks to business outcomes happens within the ERM function and by enterprise fiduciaries.

    • When mapping risk events to enterprise risk types, the relationship is rarely linear. Rather, risk events typically will have multiple impacts on the enterprise, including strategic, reputational, ESG, and financial impacts.
    • As risk information is transmitted from lower levels, it informs the next level, providing the appropriate information to prioritize risk.
    • In the final stage, the enterprise portfolio view will reflect the enterprise impacts according to risk dimensions, such as strategic, operational, reporting, and compliance.

    Rolling Up Risks to a Portfolio View

    The image contains a screenshot to demonstrate rolling up risks to a portfolio view.

    1. A risk event within IT will roll up to the enterprise via the IT risk register.
    2. The impact of the risk on cash flow and operations will be aggregated and allocated in the enterprise risk register by enterprise fiduciaries (e.g. CFO).
    3. The impacts are translated into full value exposures or modified impact and likelihood assessments.

    Common challenges

    How to synthesize different objectives between IT risk and enterprise risk

    Commingling risk data is a major challenge when developing a risk taxonomy, but one of the underlying reasons is that the enterprise and IT look at risk from different dimensions.

    • The role of the enterprise in risk management is to provide and preserve value, and therefore the enterprise evaluates risk on an adjusted risk-return basis.
    • To do this effectively, the enterprise must break down silos and view risk holistically.
    • ERM is a top-down process of evaluating risks that may impact the entity. As part of the process, ERM must manage risks within the enterprise risk framework and provide reasonable assurances that enterprise objectives will be met.
    • IT risk management focuses on internal controls and sits as a function within the larger enterprise.
    • IT takes a bottom-up approach by applying an ongoing process of risk management and constantly identifying, assessing, prioritizing, and mitigating risks.
    • IT has a central role in risk mitigation and, if functioning well, will continually reduce IT risks, simplifying the role for ERM.

    Establish a team

    Cross-functional collaboration is key to defining level 1 risk types.

    Establish a cross-functional working group.

    • Level 1 IT risk types are the most important to get right because they are the root nodes that all subtypes of risk cascade from.
    • To ensure the root nodes (level 1 risk types) address the risks of your organization, it is vital to have a strong understanding or your organization’s value chain, so your organizational strategy is a key input for defining your IT level 1 risk types.
    • Since the taxonomy provides the method for communicating risks to the people who need to make decisions, a wide understanding and acceptance of the taxonomy is essential. This means that multiple people across your organization should be involved in defining the taxonomy.
    • Form a cross-functional tactical team to collaborate and agree on definitions. The team should include subject matter experts and leaders in key risk and business areas. In terms of governance structure, this committee might sit underneath the enterprise risk council, and members of your IT risk council may also be good candidates for this tactical working group.
    • The committee would be responsible for defining the taxonomy as well as performing regular reviews.
    • The importance of collaboration will become crystal clear as you begin this work, as risks should be connected to only one risk type.

    Governance Layer

    Role/ Responsibilities

    Enterprise

    Defines organizational goals. Directs or regulates the performance and behavior of the enterprise, ensuring it has the structure and capabilities to achieve its goals.

    Enterprise Risk Council

    • Approve of risk taxonomy

    Strategic

    Ensures business and IT initiatives, products, and services are aligned to the organization’s goals and strategy and provide expected value. Ensures adherence to key principles.

    IT Risk Council

    • Provide input
    • May review taxonomy ahead of going to the enterprise risk council for approval

    Tactical

    Ensures key activities and planning are in place to execute strategic initiatives.

    Subcommittee

    • Define risk types and definitions
    • Establish and maintain taxonomy
    • Recommend changes
    • Advocate and communicate internally

    2.1 Establish a cross-functional working group

    2-3 hours

    1. Consider your organization’s operating model and current governance framework, specifically any current risk committees.
    2. Consider the members of current committees and your objectives and begin defining:
      1. Committee mandate, goals, and success factors.
      2. Responsibility and membership.
      3. Committee procedures and policies.
    3. Make sure you define how this tactical working group will interact with existing committees.

    Download Build an IT Risk Taxonomy Workbook

    Input Output
    • Organization chart and operating model
    • Corporate governance framework and existing committee charters
    • Cross-functional working group charter
    Materials Participants
    • Whiteboard/flip charts
    • Build an IT Risk Taxonomy Workbook
    • IT Taxonomy Committee Charter
    • CISO
    • Human resources
    • Corporate communications
    • CRO or risk owners
    • Business leaders

    Phase 3

    Structure Your IT Risk Taxonomy

    Phase 1

    Phase 2

    Phase 3

    • Governance, Risk, and Compliance
    • Enterprise Risk Management
    • Enterprise Risk Appetite
    • Risk Statements and Scenarios
    • What Is a Risk Taxonomy?
    • Functional Role of an IT Risk Taxonomy
    • Connection to Enterprise Risk Management
    • Establish Committee
    • Steps to Define IT Risk Taxonomy
    • Define Level 1
    • Test Level 1
    • Define Level 2 and 3
    • Test via Your Control Framework

    This phase will walk you through the following activities:

    • Establish level 1 risk types
    • Test level 1 risk types
    • Define level 2 and level 3 risk types
    • Test the taxonomy via your control framework

    This phase involves the following participants:

    • CIO
    • CISO
    • CRO
    • IT Risk Owners
    • Business Leaders
    • Human Resources

    Structuring your IT risk taxonomy

    Do’s

    • Ensure your organization’s values are embedded into the risk types.
    • Design your taxonomy to be forward looking and risk based.
    • Make level 1 risk types generic so they can be used across the organization.
    • Ensure each risk has its own attributes and belongs to only one risk type.
    • Collaborate on and communicate your taxonomy throughout organization.

    Don’ts

    • Don’t develop risk types based on function.
    • Don’t develop your taxonomy in a silo.

    A successful risk taxonomy is forward looking and codifies the most frequently used risk language across your organization.

    Level 1

    Parent risk types aligned to organizational values

    Level 2

    Subrisks to level 1 risks

    Level 3

    Further definition

    Steps to define your IT risk taxonomy

    Step 1

    Leverage Info-Tech’s Build an IT Risk Taxonomy Guideline and identify IT level 1 risk types. Consider corporate inputs and macro trends.

    Step 2

    Test level 1 IT risk types by mapping to your enterprise's ERM level 1 risk types.

    Step 3

    Draft your level 2 and level 3 risk types. Be mutually exclusive to the extent possible.

    Step 4

    Work backward – align risk events and controls to the lowest level risk category. In our examples, we align to level 3.

    Step 5

    Add risk levels to your risk registry.

    Step 6

    Optional – Add IT risk appetite statements to risk register.

    Inputs to use when defining level 1

    To help you define your IT risk taxonomy, leverage your organization’s strategy and risk management artifacts, such as outputs from risk assessments, audits, and test results. Also consider macro trends and potential risks unique to your organization.

    Step 1 – Define Level 1 Risk Types

    Use corporate inputs to help structure your taxonomy

    • Corporate Strategy
    • Risk Assessment
    • Audit
    • Test Results

    Consider macro trends that may have an impact on how you manage IT risks

    • Geopolitical Risk
    • Economic Downturn
    • Regulation
    • Competition
    • Climate Risk
    • Industry Disruption

    Evaluate from an organizational lens

    Ask risk-based questions to help define level 1 IT risks for your organization.

    IT Risk Type

    Example Questions

    Technology

    How reliant is our organization on critical assets for business operations?

    How resilient is the organization to an unexpected crisis?

    How many planned integrations do we have (over the next 24 months)?

    Talent Risk

    What is our need for specialized skills, like digital, AI, etc.?

    Does our culture support change and innovation?

    How susceptible is our organization to labor market changes?

    Strategy

    What is the extent of digital adoption or use of emerging technologies in our organization?

    How aligned is IT with strategy/corporate goals?

    How much is our business dependent on changing customer preferences?

    Data

    How much sensitive data does our organization use?

    How much data is used and stored aggregately?

    How often is data moved? And to what locations?

    Third-party

    How many third-party suppliers do we have?

    How reliant are we on the global supply chain?

    What is the maturity level of our third-party suppliers?

    Do we have any concentration risk?

    Security

    How equipped is our organization to manage cyber threats?

    How many security incidents occur per year/quarter/day?

    Do we have regulatory obligations? Is there risk of enforcement action?

    Level 1 IT taxonomy structure

    Step 2 – Consider your organization’s strategy and areas where risks may manifest and use this guidance to advance your thinking. Many factors may influence your taxonomy structure, including internal organizational structure, the size of your organization, industry trends and organizational context, etc.

    Most IT organizations will include these level 1 risks in their IT risk taxonomy

    IT Level 1

    Definition

    Definition Source

    Technology

    Risk arising from the inadequacy, disruption, destruction, failure, damage from unauthorized access modifications, or malicious use of information technology assets, people or processes that enable and support business needs, and can result in financial loss and/or reputational damage.

    Open Risk Manual

    Note how this definition by OSFI includes cyber risk as part of technology risk. Smaller organizations and organizations that do not use large amounts of sensitive information will typically fold cyber risks under technology risks. Not all organizations will take this approach. Some organizations may elevate security risk to level 1.

    “Technology risk”, which includes “cyber risk”, refers to the risk arising from the inadequacy, disruption, destruction, failure, damage from unauthorized access, modifications, or malicious use of information technology assets, people or processes that enable and support business needs, and can result in financial loss and/or reputational damage.

    Office of the Superintendent of Financial Institutions (OSFI)

    Talent

    The risk of not having the right knowledge and skills to execute strategy.

    Info-Tech Research Group/McLean & Company

    Human capital challenges including succession challenges and the ability to attract and retain top talent are considered the most dominant risk to organizations’ ability to meet their value proposition (Protiviti, 2023).

    Strategic

    Risks that threaten IT’s ability to deliver expected business outcomes.

    Info-Tech Research Group

    IT’s role as strategic enabler to the business has never been so vital. With the speed of disruptive innovation, IT must be able to monitor alignment, support opportunities, and manage unexpected crises.

    Level 1 IT taxonomy structure cont'd

    Step 2 – Large and more complex organizations may have more level 1 risk types. Variances in approaches are closely linked to the type of industry and business in which the organization operates as well as how they view and position risks within their organization.

    IT Level 1

    Definition

    Definition Source

    Data

    Data risk is the exposure to loss of value or reputation caused by issues or limitations to an organization’s ability to acquire, store, transform, move, and use its data assets.

    Deloitte

    Data risk encompasses the risk of loss value or reputation resulting from inadequate or failed internal processes, people and systems or from external events impacting on data.

    Australian Prudential Regulation Authority (APRA) CPG 235 -2013)

    Data is increasingly being used for strategic growth initiatives as well as for meeting regulatory requirements. Organizations that use a lot of data or specifically sensitive information will likely have data as a level 1 IT risk type.

    Third-Party

    The risk adversely impacting the institutions performance by engaging a third party, or their associated downstream and upstream partners or another group entity (intragroup outsourcing) to provide IT systems or related services.

    European Banking Association (EBA)

    Open Risk Manual uses EBA definition

    Third-party risk (supply chain risk) received heightened attention during COVID-19. If your IT organization is heavily reliant on third parties, you may want to consider elevating third-party risk to level 1.

    Security

    The risk of unauthorized access to IT systems and data from within or outside the institution (e.g., cyber-attacks). An incident is viewed as a series of events that adversely affects the information assets of an organization. The overall narrative of this type of risk event is captured as who, did what, to what (or whom), with what result.

    Open Risk Manual

    Some organizations and industries are subject to regulatory obligations, which typically means the board has strict oversight and will elevate security risk to a level 1.

    Common challenges

    Considerations when defining level 1 IT risk types

    • Ultimately, the identification of a level 1 IT risk type will be driven by the potential for and materiality of vulnerabilities that may impede an organization from delivering successful business outcomes.
    • Senior leaders within organizations play a central role in protecting organizations against vulnerabilities and threats.
    • The size and structure of your organization will influence how you manage risk.
    • The following slide shows typical roles and responsibilities for data privacy.
    • Large enterprises and organizations that use a lot of personal identifiable information (PII) data, such as those in healthcare, financial services, and online retail, will typically have data as a level 1 IT risk and data privacy as a level 2 risk type.
    • However, smaller organizations or organizations that do not use a lot of data will typically fold data privacy under either technology risk or security risk.

    Deciding placement in taxonomy

    Deciding Placement in Taxonomy.

    • In larger enterprises, data risks are managed within a dedicated functional department with its own governance structure. In small organizations, the CIO is typically responsible and accountable for managing data privacy risk.

    Global Enterprise

    Midmarket

    Privacy Requirement

    What Is Involved

    Accountable

    Responsible

    Accountable & Responsible

    Privacy Legal and Compliance Obligations

    • Ensuring the relevant Accountable roles understand privacy obligations for the jurisdictions operated in.

    Privacy Officer (Legal)

    Privacy Officer (Legal)

    Privacy Policy, Standards, and Governance

    • Defining polices and ensuring they are in place to ensure all privacy obligations are met.
    • Monitoring adherence to those policies and standards.

    Chief Risk Officer (Risk)

    Head of Risk Function

    Data Classification and Security Standards and Best-Practice Capabilities

    • Defining the organization’s data classification and security standards and ensuring they align to the privacy policy.
    • Designing and building the data security standards, processes, roles, and technologies required to ensure all security obligations under the privacy policy can be met.
    • Providing oversight of the effectiveness of data security practices and leading resolution of data security issues/incidents.

    Chief Information Security Officer (IT)

    Chief Information Security Officer (IT)

    Technical Application of Data Classification, Management and Security Standards

    • Ensuring all technology design, implementation, and operational decisions adhere to data classification, data management, and data security standards.

    Chief Information Officer (IT)

    Chief Data Architect (IT)

    Chief Information Officer (IT)

    Data Management Standards and Best-Practice Capabilities

    • Defining the organization’s data management standards and ensuring they align to the privacy policy.
    • Designing and building the data management standards, processes, roles, and technologies required to ensure data classification, access, and sharing obligations under the privacy policy can be met.
    • Providing oversight of the effectiveness of data classification, access, and sharing practices and leading resolution of data management issues/incidents.

    Chief Data Officer

    Where no Head of Data Exists and IT, not the business, is seen as de facto owner of data and data quality

    Execution of Data Management

    • Ensuring business processes that involve data classification, sharing, and access related to their data domain align to data management standards (and therefore privacy obligations).

    L1 Business Process Owner

    L2 Business Process Owner

    Common challenges

    Defining security risk and where it resides in the taxonomy

    • For risk management to be effective, risk professionals need to speak the same language, but the terms “information security,” “cybersecurity,” and “IT security” are often used interchangeably.
    • Traditionally, cyber risk was folded under technology risk and therefore resided at a lower level of a risk taxonomy. However, due to heightened attention from regulators and boards stemming from the pervasiveness of cyber threats, some organizations are elevating security risks to a level 1 IT risk.
    • Furthermore, regulatory cybersecurity requirements have emphasized control frameworks. As such, many organizations have adopted NIST because it is comprehensive, regularly updated, and easily tailored.
    • While NIST is prescriptive and action oriented, it start with controls and does not easily integrate with traditional ERM frameworks. To address this, NIST has published new guidance focused on an enterprise risk management approach. The guidance helps to bridge the gap between best practices in enterprise risk management and processes and control techniques that cybersecurity professionals use to meet regulatory cybersecurity risk requirements.

    Definitional Nuances

    “Cybersecurity” describes the technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access.

    “IT security” describes a function as well as a method of implementing policies, procedures, and systems to defend the confidentiality, integrity, and availability of any digital information used, transmitted, or stored throughout the organization’s environment.

    “Information security” defines the people, processes, and technology involved in protecting data (information) in any form – whether digital or on paper – through its creation, storage, transmission, exchange, and destruction.

    3.1 Establish level 1 risk types

    2-3 hours

    1. Consider your current and future corporate goals and business initiatives, risk management artifacts, and macro industry trends.
    2. Ask questions to understand risks unique to your organization.
    3. Review Info-Tech’s IT level 1 risk types and identify the risk types that apply to your organization.
    4. Add any risk types that are missing and unique to your organization.
    5. Refine the definitions to suit your organization.
    6. Be mutually exclusive and collectively exhaustive to the extent possible.

    Download Build an IT Risk Taxonomy Workbook

    InputOutput
    • Organization's strategy
    • Other organizational artifacts if available (operating model, outputs from audits and risk assessments, risk profile, and risk appetite)
    • Build an IT Risk Taxonomy Guideline
    • IT Risk Taxonomy Definitions
    • Level 1 IT risk types customized to your organization
    MaterialsParticipants
    • Whiteboard/flip charts
    • Build an IT Risk Taxonomy Workbook
    • CISO
    • Human resources
    • Corporate communications
    • CRO or risk owners
    • Business leaders

    3.2 Map IT risk types against ERM level 1 risk types

    1-2 hours

    1. Using the output from Activity 3.1, map your IT risk types to your ERM level 1 risk types.
    2. Record in the Build an IT Risk Taxonomy Workbook.

    Download Build an IT Risk Taxonomy Workbook

    InputOutput
    • IT level 1 risk types customized to your organization
    • ERM level 1 risk types
    • Final level 1 IT risk types
    MaterialsParticipants
    • Whiteboard/flip charts
    • Build an IT Risk Taxonomy Workbook
    • CISO
    • Human resources
    • Corporate communications
    • CRO or risk owners
    • Business leaders

    Map IT level 1 risk types to ERM

    Test your level 1 IT risk types by mapping to your organization’s level 1 risk types.

    Step 2 – Map IT level 1 risk types to ERM

    The image contains two tables. 1 table is ERM Level 1 Risks, the other table is IT Level 1 Risks.

    3.3 Establishing level 2 and 3 risk types

    3-4 hours

    1. Using the level 1 IT risk types that you have defined and using Info-Tech’s Risk Taxonomy Guideline, first begin to identify level 2 risk types for each level 1 type.
    2. Be mutually exclusive and collectively exhaustive to the extent possible.
    3. Once satisfied with your level 2 risk types, break them down further to level 3 risk types.

    Note: Smaller organizations may only define two risk levels, while larger organizations may define further to level 4.

    Download Build an IT Risk Taxonomy Design Template

    InputOutput
    • Output from Activity 3.1, Establish level 1 risk types
    • Build an IT Risk Taxonomy Workbook
    • Build an IT Risk Taxonomy Guideline
    • Level 2 and level 3 risk types recorded in Build an IT Risk Taxonomy Design Template
    MaterialsParticipants
    • Whiteboard/flip charts
    • Build an IT Risk Taxonomy Workbook
    • CISO
    • Human resources
    • Corporate communications
    • CRO or risk owners
    • Business leaders

    Level 2 IT taxonomy structure

    Step 3 – Break down your level 1 risk types into subcategories. This is complicated and may take many iterations to reach a consistent and accepted approach. Try to make your definitions intuitive and easy to understand so that they will endure the test of time.

    The image contains a screenshot of Level 2 IT taxonomy Structure.

    Security vulnerabilities often surface through third parties, but where and how you manage this risk is highly dependent on how you structure your taxonomy. Organizations with a lot of exposure may have a dedicated team and may manage and report security risks under a level 1 third-party risk type.

    Level 3 IT taxonomy structure

    Step 3 – Break down your level 2 risk types into lower-level subcategories. The number of levels of risk you have will depend on the size of and magnitude of risks within your organization. In our examples, we demonstrate three levels.

    The image contains a screenshot of Level 3 IT taxonomy Structure.

    Risk taxonomies for smaller organizations may only include two risk levels. However, large enterprises or more complex organizations may extend their taxonomy to level 3 or even 4. This illustration shows just a few examples of level 3 risks.

    Test using risk events and controls

    Ultimately risk events and controls need to roll up to level 1 risks in a consistent manner. Test the robustness of your taxonomy by working backward.

    Step 4 – Work backward to test and align risk events and controls to the lowest level risk category.

    • A key function of IT risk management is to monitor and maintain internal controls.
    • Internal controls help to reduce the level of inherent risk to acceptable levels, known as residual risk.
    • As risks evolve, new controls may be needed to upgrade protection for tech infrastructure and strengthen connections between critical assets and third-party suppliers.

    Example – Third Party Risk

    Third Party Risk example.

    3.4 Test your IT taxonomy

    2-3 hours

    1. Leveraging the output from Activities 3.1 to 3.3 and your IT Risk Taxonomy Design Template, begin to test the robustness of the taxonomy by working backward from controls to level 1 IT risks.
    2. The lineage should show clearly that the control will mitigate the impact of a realized risk event. Refine the control or move the control to another level 1 risk type if the control will not sufficiently reduce the impact of a realized risk event.
    3. Once satisfied, update your risk register or your risk management software tool.

    Download Build an IT Risk Taxonomy Design Template

    InputOutput
    • Output from Activities 3.1 to 3.3
    • IT risk taxonomy documented in the IT Risk Taxonomy Design Template
    MaterialsParticipants
    • Whiteboard/flip charts
    • IT risk register
    • Build an IT Risk Taxonomy Workbook
    • CISO
    • Human resources
    • Corporate communications
    • CRO or risk owners
    • Business leaders

    Update risk register

    Step 5 – Once you are satisfied with your risk categories, update your risk registry with your IT risk taxonomy.

    Use Info-Tech’s Risk Register Tool or populate your internal risk software tool.

    Risk Register.

    Download Info-Tech’s Risk Register Tool

    Augment the risk event list using COBIT 2019 processes (Optional)

    Other industry-leading frameworks provide alternative ways of conceptualizing the functions and responsibilities of IT and may help you uncover additional risk events.

    1. Managed IT Management Framework
    2. Managed Strategy
    3. Managed Enterprise Architecture
    4. Managed Innovation
    5. Managed Portfolio
    6. Managed Budget and Costs
    7. Managed Human Resources
    8. Managed Relationships
    9. Managed Service Agreements
    10. Managed Vendors
    11. Managed Quality
    12. Managed Risk
    13. Managed Security
    14. Managed Data
    15. Managed Programs
    16. Managed Requirements Definition
    17. Managed Solutions Identification and Build
    18. Managed Availability and Capacity
    19. Managed Organizational Change Enablement
    20. Managed IT Changes
    21. Managed IT Change Acceptance and Transitioning
    22. Managed Knowledge
    23. Managed Assets
    24. Managed Configuration
    25. Managed Projects
    26. Managed Operations
    27. Managed Service Requests and Incidents
    28. Managed Problems
    29. Managed Continuity
    30. Managed Security Services
    31. Managed Business Process Controls
    32. Managed Performance and Conformance Monitoring
    33. Managed System of Internal Control
    34. Managed Compliance with External Requirements
    35. Managed Assurance
    36. Ensured Governance Framework Setting and Maintenance
    37. Ensured Benefits Delivery
    38. Ensured Risk Optimization
    39. Ensured Resource Optimization
    40. Ensured Stakeholder Engagement

    Example IT risk appetite

    When developing your risk appetite statements, ensure they are aligned to your organization’s risk appetite and success can be measured.

    Example IT Risk Appetite Statement

    Risk Type

    Technology Risk

    IT should establish a risk appetite statement for each level 1 IT risk type.

    Appetite Statement

    Our organization’s number-one priority is to provide high-quality trusted service to our customers. To meet this objective, critical systems must be highly performant and well protected from potential threats. To meet this objective, the following expectations have been established:

    • No appetite for unauthorized access to systems and confidential data.
    • Low appetite for service downtime.
      • Service availability objective of 99.9%.
      • Near real-time recovery of critical services – ideally within 30 minutes, no longer than 3 hours.

    The ideal risk appetite statement is qualitative and supported by quantitative measures.

    Risk Owner

    Chief Information Officer

    Ultimately, there is an accountable owner(s), but involve business and technology stakeholders when drafting to gain consensus.

    Risk Oversight

    Enterprise Risk Committee

    Supporting Framework(s)

    Business Continuity Management, Information Security, Internal Audit

    The number of supporting programs and frameworks will vary with the size of the organization.

    3.5 Draft your IT risk appetite statements

    Optional Activity

    2-3 hours

    1. Using your completed taxonomy and your organization’s risk appetite statement, draft an IT risk appetite statement for each level 1 risk in your workbook.
    2. Socialize the statements and gain approval.
    3. Add the approved risk appetite statements to your IT risk register.

    Download Build an IT Risk Taxonomy Workbook

    Input Output
    • Organization’s risk appetite statement
    • Build an IT Risk Taxonomy Workbook
    • IT Risk Taxonomy Design Template
    • IT risk appetite statements
    Materials Participants
    • Whiteboard/flip charts
    • Build an IT Risk Taxonomy Workbook
    • CISO, CIO
    • Human resources
    • Corporate communications
    • CRO or risk owners
    • Business leaders

    Key takeaways and next steps

    • The risk taxonomy is the backbone of a robust enterprise risk management program. A good taxonomy is frequently used and well understood.
    • Not only is the risk taxonomy used to assess organizational impact, but it is also used for risk reporting, scenarios analysis and horizon scanning, and risk appetite expression.
    • It is essential to capture IT risks within the ERM framework to fully understand the impact and allow for consistent risk discussions and meaningful aggregation.
    • Defining an IT risk taxonomy is a team sport, and organizations should strive to set up a cross-functional working group that is tasked with defining the taxonomy, monitoring its effectiveness, and ensuring continual improvement.
    • The work does not end when the taxonomy is complete. The taxonomy should be well socialized throughout the organization after inception through training and new policies and procedures. Ultimately, it should be an activity embedded into risk management practices.
    • The taxonomy is a living document and should be continually improved upon.

    3.6 Prepare to communicate the taxonomy internally

    1-2 hours

    To gain acceptance of your risk taxonomy within your organization, ensure it is well understood and used throughout the organization.

    1. Consider your audience and agree on the key elements you want to convey.
    2. Prepare your presentation.
    3. Test your presentation with a smaller group before communicating to senior leadership or the board.

    Coming soon: Look for our upcoming research Communicate Any IT Initiative.

    InputOutput
    • Build an IT Risk Taxonomy Workbook
    • Upcoming research: Communicate Any IT Initiative
    • Presentation
    MaterialsParticipants
    • Whiteboard/flip charts
    • Upcoming research: Communicate Any IT Initiative
    • Internal communication templates
    • CISO, CIO
    • Human resources
    • Corporate communications
    • CRO or risk owners
    • Business leaders

    Related Info-Tech Research

    Build an IT Risk Management Program

    • Use this blueprint to transform your ad hoc risk management processes into a formalized ongoing program and increase risk management success.
    • Learn how to take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest's risks before they occur.

    Integrate IT Risk Into Enterprise Risk

    • Use this blueprint to understand gaps in your organization’s approach to risk management.
    • Learn how to integrate IT risks into the foundational risk practice

    Coming Soon: Communicate Any IT initiative

    • Use this blueprint to compose an easy-to-understand presentation to convey the rationale of your initiative and plan of action.
    • Learn how to identify your target audience and tailor and deliver the message in an authentic and clear manner.

    Risk definitions

    Term Description
    Emergent Risk Risks that are poorly understood but expected to grow in significance.
    Residual Risk The amount of risk you have left after you have removed a source of risk or implemented a mitigation approach (controls, monitoring, assurance).
    Risk Acceptance If the risk is within the enterprise's risk tolerance or if the cost of otherwise mitigating the risk is higher than the potential loss, the enterprise can assume the risk and absorb any losses.
    Risk Appetite An organization’s general approach and attitude toward risk; the total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes.
    Risk Assessment The process of estimating and evaluating risk.
    Risk Avoidance The risk response where an organization chooses not to perform a particular action or maintain an existing engagement due to the risk involved.
    Risk Event A risk occurrence (actual or potential) or a change of circumstances. Can consist of more than one occurrence or of something not happening. Can be referred to as an incident or accident.
    Risk Identification The process of finding, recognizing, describing, and documenting risks that could impact the achievement of objectives.
    Risk Management The capability and related activities used by an organization to identify and actively manage risks that affect its ability to achieve goals and strategic objectives. Includes principles, processes, and framework.
    Risk Likelihood The chance of a risk occurring. Usually measured mathematically using probability.
    Risk Management Policy Expresses an organization’s commitment to risk management and clarifies its use and direction.
    Risk Mitigation The risk response where an action is taken to reduce the impact or likelihood of a risk occurring.
    Risk Profile A written description of a set of risks.

    Risk definitions

    Term Description
    Risk Opportunity A cause/trigger of a risk with a positive outcome.
    Risk Owner The designated party responsible and accountable for ensuring that the risk is maintained in accordance with enterprise requirements.
    Risk Register A tool used to identify and document potential and active risks in an organization and to track the actions in place to manage each risk.
    Risk Response How you choose to respond to risk (accept, mitigate, transfer, or avoid).
    Risk Source The element that, alone or in combination, has potential to give rise to a risk. Usually this is the root cause of the risk.
    Risk Statement A description of the current conditions that may lead to the loss, and a description of the loss.
    Risk Tolerance The amount of risk you are prepared or able to accept (in terms of volume or impact); the amount of uncertainty an organization is willing to accept in the aggregate (or more narrowly within a certain business unit or for a specific risk category). Expressed in quantitative terms that can be monitored (such as volatility or deviation measures), risk tolerance often is communicated in terms of acceptable/unacceptable outcomes or as limited levels of risk. Risk tolerance statements identify the specific minimum and maximum levels beyond which the organization is unwilling to accept variations from the expected outcome.
    Risk Transfer The risk response where you transfer the risk to a third party.

    Research Contributors and Experts

    LynnAnn Brewer
    Director
    McLean & Company

    Sandi Conrad
    Principal Research Director
    Info-Tech Research Group

    Valence Howden
    Principal Research Director
    Info-Tech Research Group

    John Kemp
    Executive Counsellor – Executive Services
    Info-Tech Research Group

    Brittany Lutes
    Research Director
    Info-Tech Research Group

    Carlene McCubbin
    Practice Lead – CIO Practice
    Info-Tech Research Group

    Frank Sargent
    Senior Workshop Director
    Info-Tech Research Group

    Frank Sewell
    Advisory Director
    Info-Tech Research Group

    Ida Siahaan
    Research Director
    Info-Tech Research Group

    Steve Willis
    Practice Lead – Data Practice
    Info-Tech Research Group

    Bibliography

    Andrea Tang, “Privacy Risk Management”. ISACA Journal, June 2020, Accessed January 2023
    Anthony Kruizinga, “Reshaping the risk taxonomy”. PwC, April 2021, Accessed January 2023
    Auditboard, "The Essentials of Integrated Risk Management (IRM)", June 2022, Accessed January 2023
    Brenda Boultwood, “How to Design an ERM-Friendly Risk Data Architecture”. Global Association of Risk Professionals, February 2020, Accessed January 2023
    BSI Standards Publication, "Risk Management Guidelines", ISO 31000, 2018
    Dan Swinhoe, "What is Physical Security, How to keep your facilities and devices safe from onsite attackers", August 2021, Accessed January 2023
    Eloise Gratton, “Data governance and privacy risk in Canada: A checklist for boards and c-suite”. Borden Ladner Gervais, November 2022 , Accessed January 2023
    European Union Agency for Cyber Security Glossary
    European Banking Authority, "Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP)", September 2017, Accessed February 2023
    European Banking Authority, "Regulatory Framework for Mitigating Key Resilient Risks", Sept 2018, Accessed February 2023
    EY, "Seeking stability within volatility: How interdependent risks put CROs at the heart of the banking business", 12th annual EY/IFF global bank risk management survey, 2022, Accessed February 2023
    Financial Stability Board, "Cyber Lexicon", November 2018, Accessed February 2023
    Financial Stability Board, "Principles for Effective Risk Appetite Framework", November 2013, Accessed January 2023
    Forbes Technology Council, "14 Top Data Security Risks Every Business Should Address", January 2020, Accessed January 2023
    Frank Martens, Dr. Larry Rittenberg, "COSO, Risk Appetite Critical for Success, Using Risk Appetite to Thrive in a Changing World", May 2020, Accessed January 2023
    Gary Stoneurmer, Alice Goguen and Alexis Feringa, "NIST, Risk Management Guide for Information Technology Systems", Special Publication, 800-30, September 2012, Accessed February 2023
    Guy Pearce, "Real-World Data Resilience Demands and Integrated Approach to AI, Data Governance and the Cloud", ISACA Journal, May 2022
    InfoTech Tech Trends Report, 2023
    ISACA, "Getting Started with Risk Scenarios", 2022, Accessed February 2023
    James Kaplan, "Creating a technology risk and cyber risk appetite framework," McKinsey & Company, August 2022, Accessed February 2023
    Jean-Gregorie Manoukian, Wolters Kluwer, "Risk appetite and risk tolerance: what’s the difference?", Sept 2016, Accessed February 2023
    Jennifer Bayuk, “Technology’s Role in Enterprise Risk Management”, ISACA Journal, March 2018, Accessed in February 2023
    John Thackeray, "Global Association of Risk Professionals, 7 Key Elements of Effective ERM", January 2020, Accessed January 2023
    KPMG, "Regulatory rigor: Managing technology and cyber risk, How FRFI’s can achieve outcomes laid out in OSFI B-13", October 2022, Accessed January 2023
    Marc Chiapolino et al, “Risk and resilience priorities, as told by chief risk officers”, McKinsey and Company, December 2022, Accessed January 2023
    Mike Rost, Workiva, "5 Steps to Effective Strategic Management", Updated February 2023. Accessed February 2023
    NIST, "Risk Management Framework for Information Systems and Organization, The System Life Cycle Approach for Security and Privacy," December 2018, Accessed February 2023
    NIST, NISTIR, "Integrating CyberSecurity and Enterprise Risk", October 2020, Accessed February 2023
    Oliver Wyman, "The ORX Reference Taxonomy for operational and non-financial risk summary report", 2019, Accessed February 2023.
    Office of the Superintendent of Financial Institutions, "Operational Resilience Consultation Results Summary", December 2021, Accessed January 2023
    Open Risk Manual, Risk Taxonomy Definitions
    Ponemon. "Cost of a Data Breach Report 2021." IBM, July 2021. Web.
    Protiviti, "Executive Perspectives on Top Risks, 2023 & 2032, Key Issues being discussed in the boardroom and c-suite", February 2023, Accessed February 2023
    RIMS, ISACA, "Bridging the Digital Gap, How Collaboration Between IT and Risk Management can Enhance Value Creation", September 2019, Accessed February 2023
    Robert, R. Moeller, "COSO, Enterprise Risk Management, Second Edition, 2011", Accessed February 2023
    Robert Putrus, "Effective Reporting to the BoD on Critical Assets, Cyberthreats and Key Controls: The Qualitative and Quantitative Model", ISACA Journal, January 2021, Accessed January 2023
    Ron Brash, "Prioritizing Asset Risk Management in ICS Security", August 2020, Accessed February 2023
    Ronald Van Loon, "What is Data Culture and How to Implement it?", November 2023, Accessed February 2023
    SAS, "From Crisis to Opportunity, Redefining Risk Management", 2021Accessed January 2023
    Satori, Cloudian, "Data Protection and Privacy: 12 Ways to Protect User Data", Accessed January 2023
    Spector Information Security, "Building your Asset and Risk Register to Manage Technology Risk", November 2021, Accessed January 2023
    Talend, "What is data culture", Accessed February 2023
    Tom Schneider, "Managing Cyber Security Risk as Enterprise Risk", ISACA Journal, September 2022, Accessed February 2023
    Tony Martin –Vegue, "How to Write Strong Risk Scenarios and Statements", ISACA Journal, September 2021, Accessed February 2023
    The Wall Street Journal, "Making Data Risk a Top Priority", April 2018, Accessed February 2023

    Application Maintenance

    • Buy Link or Shortcode: {j2store}30|cart{/j2store}
    • Related Products: {j2store}30|crosssells{/j2store}
    • member rating overall impact (scale of 10): 10.0/10
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Applications
    • Parent Category Link: /applications

    The challenge

    • If you work with application maintenance or operations teams that handle the "run" of your applications, you may find that the sheer volume and variety of requests create large backlogs.
    • Your business and product owners may want scrum or DevOps teams to work on new functionality rather than spend effort on lifecycle management.
    • Increasing complexity and increasing reliance on technology may create unrealistic expectations for your maintenance teams. Business applications must be available around the clock, and new feature roadmaps cannot be side-tracked by maintenance.

    Our advice

    Insight

    • Improving maintenance focus may mean doing less work but create more value. Your teams need to be realistic about what commitments they take—balance maintenance with business value and risk levels.
    • Treat maintenance the same as any other development practice. Use the same intake and prioritization practices. Uphold the same quality standards.

    Impact and results 

    • Justify the necessity of streamlined and regular maintenance. Understand each stakeholder's objectives and concerns, validate them against your staff's current state, processes, and technologies involved.
    • Maintenance and risk go hand in hand. And the business wants to move forward all the time as well. Strengthen your prioritization practice. Use a holistic view of the business and technical impacts, risks, urgencies across the maintenance needs and requests. That allows you to justify their respective positions in the overall development backlog. Identify opportunities to bring some requirements and features together.
    • Build a repeatable process with appropriate governance around it. Ensure that people know their roles and responsibilities and are held accountable.
    • Instill development best-practices into your maintenance processes.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started.

    Read our executive brief to understand everyday struggles regarding application maintenance, the root causes, and our methodology to overcome these. We show you how we can support you.

    Understand your maintenance priorities

    Identify your stakeholders and understand their drivers.

    • Streamline Application Maintenance – Phase 1: Assess the Current Maintenance Landscape (ppt)
    • Application Maintenance Operating Model Template (doc)
    • Application Maintenance Resource Capacity Assessment (xls)
    • Application Maintenance Maturity Assessment (xls)

    Define and employ maintenance governance

    Identify the right level of governance appropriate to your company and business context for your application maintenance. That ensures that people uphold standards across maintenance practices.

    • Streamline Application Maintenance – Phase 2: Develop a Maintenance Release Schedule (ppt)

    Enhance your prioritization practices

    Most companies cannot do everything for all applications and systems. Build your maintenance triage and prioritization rules to safeguard your company, maximize business value generation and IT risks and requirements.

    • Streamline Application Maintenance – Phase 3: Optimize Maintenance Capabilities (ppt)

    Streamline your maintenance delivery

    Define quality standards in maintenance practices. Enforce these in alignment with the governance you have set up. Show a high degree of transparency and open discussions on development challenges.

    • Streamline Application Maintenance – Phase 4: Streamline Maintenance Delivery (ppt)
    • Application Maintenance Business Case Presentation Document (ppt)

     

     

    Develop a COVID-19 Pandemic Response Plan

    • Buy Link or Shortcode: {j2store}420|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • IT departments are being asked to rapidly ramp up work-from-home capabilities and other business process workarounds.
    • Crisis managers are experiencing a pandemic more severe than what they’ve managed in the past.
    • Organizations are scrambling to determine how they can keep their businesses running through this pandemic.

    Our Advice

    Critical Insight

    • Obstacles to working from home go beyond internet speed and needing a laptop. Business input is critical to uncover unexpected obstacles.
    • IT needs to address a range of issues from security risk to increased service desk demand from users who don’t normally work from home.
    • Resist the temptation to bypass IT processes – your future-self will thank you for tracking all those assets about to go out the door.

    Impact and Result

    • Start with crisis management fundamentals – identify crisis management roles and exercise appropriate crisis communication.
    • Prioritize business processes and work-from-home requirements. Not everyone can be set up on day one.
    • Don’t over-complicate your work-from-home deployment plan. A simple spreadsheet (see the Work-from-Home Requirements Tool) to track requirements can be very effective.

    Develop a COVID-19 Pandemic Response Plan Research & Tools

    Start here

    Stay up to date on COVID-19 and the resources available to you.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Develop a COVID-19 Pandemic Response Plan Storyboard

    1. Manage the pandemic crisis

    Identify key roles and immediate steps to manage this crisis.

    • Pandemic Response Plan Example

    2. Create IT’s plan to support the pandemic response plan

    Plan the deployment of a work-from-home initiative.

    • Work-From-Home Requirements Tool
    [infographic]

    Accelerate Business Growth and Valuation by Building Brand Awareness

    • Buy Link or Shortcode: {j2store}569|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions

    Brands that fail to invest in brand awareness are likely to face some, if not all these problems:

    • Lack of brand visibility and recognition
    • Inability to reach and engage with the buyers
    • Difficulties generating and converting leads
    • Low customer retention rate
    • Inability to justify higher pricing
    • Limited brand equity, business valuation, and sustainability

    Our Advice

    Critical Insight

    Awareness brings visibility and traction to brands, which is essential in taking the market leadership position and becoming the trusted brand that buyers think of first.

    Brand awareness also significantly contributes to increasing brand equity, market valuation, and business sustainability.

    Impact and Result

    Building brand awareness allows for the increase of:

    • Brand visibility, perception, recognition, and reputation
    • Interactions and engagement with the target audience
    • Digital advertising performance and ROI
    • Conversion rates and sales wins
    • Revenue and profitability
    • Market share & share of voice (SOV)
    • Talents, partners, and investors attraction and retention
    • Brand equity, business growth, and market valuation

    Accelerate Business Growth and Valuation by Building Brand Awareness Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Accelerate Business Growth and Valuation by Building Brand Awareness Storyboard - Learn how to establish the brand foundation, create assets and workflows, and deploy effective brand awareness strategies and tactics.

    A two-step approach to building brand awareness, starting with defining the brand foundations and then implementing effective brand awareness strategies and tactics.

    • Accelerate Business Growth and Valuation by Building Brand Awareness Storyboard

    2. Define Brand's Personality and Message - Analyze your target market and develop key elements of your brand guidelines.

    With this set of tools, you will be able to capture and analyze your target market, your buyers and their journeys, define your brand's values, personality, and voice, and develop all the key elements of your brand guidelines to enable people within your organization and external resources to build a consistent and recognizable image across all assets and platforms.

    • Market Analysis Template
    • Brand Recognition Survey and Interview Questionnaire and List Template
    • External and Internal Factors Analysis Template
    • Buyer Personas and Journey Presentation Template
    • Brand Purpose, Mission, Vision, and Values Template
    • Brand Value Proposition and Positioning Statement
    • Brand Voice Guidelines Template
    • Writing Style Guide Template
    • Brand Messaging Template
    • Writer Checklist

    3. Start Building Brand Awareness - Achieve strategic alignment.

    These tools will allow you to achieve strategic alignment and readiness, create assets and workflows, deploy tactics, establish Key Performance Indicators (KPIs), and monitor and optimize your strategy on an ongoing basis.

    • Brand Awareness Strategy and Tactics Template
    • Asset Creation and Management List
    • Campaign Workflows Template
    • Brand Awareness Strategy Rollout Plan Template
    • Survey Emails Best Practices Guidelines

    Infographic

    Further reading

    Accelerate Business Growth and Valuation By Building Brand Awareness

    Develop and deploy comprehensive, multi-touchpoint brand awareness strategies to become the trusted brand that buyers think of first.

    EXECUTIVE BRIEF

    Analyst perspective

    Building brand awareness

    Achieving high brand awareness in a given market and becoming the benchmark for buyers

    is what every brand wants to achieve, as it is a guarantee of success. Building brand awareness,

    even though its immediate benefits are often difficult to see and measure, is essential for companies that want to stand out from their competitors and continue to grow in a sustainable way. The return on investment (ROI) may take longer, but the benefits are also greater than those achieved through short-term initiatives with the expectation of immediate, albeit often limited, results.

    Brands that are familiar to their target market have greater credibility, generate more sales,

    and have a more loyal customer base. CMOs that successfully execute brand awareness programs

    build brand equity and grow company valuation.

    This is a picture of Nathalie Vezina

    Nathalie Vezina
    Marketing Research Director
    SoftwareReviews Advisory

    Executive summary

    Brand leaders know that brand awareness is essential to the success of all marketing and sales activities. Brands that fail to invest in brand awareness are likely to face some, if not all these problems:

    • Lack of brand visibility and compelling storytelling.
    • Inability to reach the target audience.
    • Low engagement on digital platforms and with ads.
    • Difficulties generating and converting leads, or closing/winning sales/deals, and facing a high cost per acquisition.
    • Low/no interest or brand recognition, trust level, and customer retention rate.
    • Inability to justify higher pricing.

    Convincing stakeholders of the benefits of strong brand awareness can be difficult when the positive outcomes are hard to quantify, and the return on investment (ROI) is often long-term. Among the many obstacles brand leaders must overcome are:

    • Lack of longer-term corporate vision, focusing all efforts and resources on short-term growth strategies for a quick ROI.
    • Insufficient market and target buyers' information and understanding of the brand's key differentiator.
    • Misalignment of brand message, and difficulties creating compelling content that resonates with the target audience, generates interest, and keeps them engaged.
    • Limited or no resources dedicated to the development of the brand.

    Inspired by top-performing businesses and best practices, this blueprint provides the guidance and tools needed to successfully build awareness and help businesses grow. By following these guidelines, brand leaders can expect to:

    • Gain market intelligence and a clear understanding of the buyer's needs, your competitive advantage, and key differentiator.
    • Develop a clear and compelling value proposition and a human-centric brand messaging driven by the brand's values.
    • Increase online presence and brand awareness to attract and engage with buyers.
    • Develop a long-term brand strategy and execution plan.

    "A brand is the set of expectations, memories, stories, and relationships that, taken together, account for a consumer's decision to choose one product or service over another."

    – Seth Godin

    What is brand awareness?

    The act of making a brand visible and memorable.

    Brand awareness is the degree to which buyers are familiar with and recognize the attributes and image of a particular brand, product, or service. The higher the level of awareness, the more likely the brand is to come into play when a target audience enters the " buying consideration" phase of the buyer's journey.

    Brand awareness also plays an important role in building equity and increasing business valuation. Brands that are familiar to their target market have greater credibility, drive more sales and have a more loyal customer base.
    Building brand awareness allows increasing:

    • Brand visibility, perception, recognition, and reputation
    • Interactions and engagement with the target audience
    • Digital advertising performance and ROI
    • Conversion rates and sales wins
    • Revenue and profitability
    • Market share and share of voice (SOV)
    • Talents, partners, and investors attraction and retention
    • Brand equity, business growth, and market valuation

    "Products are made in a factory, but brands are created in the mind."
    Source: Walter Landor

    Capitalizing on a powerful brand

    A longer-term approach for an increased and more sustainable ROI.

    Market leader position

    Developing brand awareness is essential to increase the visibility and traction of a brand.

    Several factors may cause a brand to be not well-known. One reason might be that the brand recently launched, such as a startup. Another reason could be that the brand has rebranded or entered a new market.

    To become the trusted brand that buyers think of first in their target markets, it is critical for these brands to develop and deploy comprehensive, multi-touchpoint brand awareness strategies.

    A relationship leading to loyalty

    A longer-term brand awareness strategy helps build a strong relationship between the brand and the buyer, fostering a lasting and rewarding alliance.

    It also enables brands to reach and engage with their target audience effectively by using compelling storytelling and meaningful content.

    Adopting a more human-centric approach and emphasizing shared values makes the brand more attractive to buyers and can drive sales and gain loyalty.

    Sustainable business growth

    For brands that are not well established in their target market, short-term tactics that focus on immediate benefits can be ineffective. In contrast, long-term brand awareness strategies provide a more sustainable ROI (return on investment).

    Investing in building brand awareness can impact a business's ability to interact with its target audience, generate leads, and increase sales. Moreover, it can significantly contribute to boosting the business's brand equity and market valuation.

    "Quick wins may work in the short term, but they're not an ideal substitute for long-term tactics and continued success."
    Source: Forbes

    Impacts of low brand awareness on businesses

    Unfamiliar brands, despite their strong potential, won't thrive unless they invest in their notoriety.

    Brands that choose not to invest in longer-term awareness strategies and rely solely on short-term growth tactics in hopes of an immediate gain will see their ability to grow diminished and their longevity reduced due to a lack of market presence and recognition.

    Symptoms of a weakening brand include:

    • High marketing spending and limited result
    • Low market share or penetration
    • Low sales, revenue, and gross margin
    • Weak renewal rate, customer retention, and loyalty
    • Difficulties delivering on the brand promise, low/no trust in the brand
    • Limited brand equity, business valuation, and sustainability
    • Unattractive brand to partners and investors

    "Your brand is the single most important investment you can make in your business."
    Source: Steve Forbes

    Most common obstacles to increasing brand awareness

    Successfully building brand awareness requires careful preparation and planning.

    • Limited market intelligence
    • Unclear competitive advantage/key differentiator
    • Misaligned and inconsistent messaging and storytelling
    • Lack of long-term vision
    • and low prioritization
    • Limited resources to develop and execute brand awareness building tactics
    • Unattractive content that does not resonate, generates little or no interest and engagement

    Investing in the notoriety of the brand

    Become the top-of-mind brand in your target market.

    To stand out, be recognized by their target audience, and become major players in their industry, brands must adopt a winning strategy that includes the following elements:

    • In-depth knowledge and understanding of the market and audience
    • Strengthening digital presence and activities
    • Creating and publishing content relevant to the target audience
    • Reaching out through multiple touchpoints
    • Using a more human-centric approach
    • Ensure consistency in all aspects of the brand, across all media and channels

    How far are you from being the brand buyers think of first in your target market?

    This is an image of the Brand Awareness Pyramid.

    Brand awareness pyramid

    Based on David Aaker's brand loyalty pyramid

    Tactics for building brand awareness

    Focus on effective ways to gain brand recognition in the minds of buyers.

    This is an image of the Brand Awareness Journey Roadmap.

    Brand recognition requires in-depth knowledge of the target market, the creation of strong brand attributes, and increased presence and visibility.

    Understand the market and audience you're targeting

    Be prepared. Act smart.

    To implement a winning brand awareness-building strategy, you must:

    • Be aware of your competitor's strengths and weaknesses, as well as yours.
    • Find out who is behind the keyboard, and the user experience they expect to have.
    • Plan and continuously adapt your tactics accordingly.
    • Make your buyer the hero.

    Identify the brands' uniqueness

    Find your "winning zone" and how your brand uniquely addresses buyers' pain points.

    Focus on your key differentiator

    A brand has found its "winning zone" or key differentiator when its value proposition clearly shows that it uniquely solves its buyers' specific pain points.

    Align with your target audience's real expectations and successfully interact with them by understanding their persona and buyer's journey. Know:

    • How you uniquely address their pain points.
    • Their values and what motivates them.
    • Who they see as authorities in your field.
    • Their buying habits and trends.
    • How they like brands to engage with them.

    An image of a Venn diagram between the following three terms: Buyer pain point; Competitors' value proposition; your unique value proposition.  The overlapping zone is labeled the Winning zone.  This is your key differentiator.

    Give your brand a voice

    Define and present a consistent voice across all channels and assets.

    The voice reflects the personality of the brand and the emotion to be transmitted. That's why it's crucial to establish strict rules that define the language to use when communicating through the brand's voice, the type of words, and do's and don'ts.

    To be recognizable it is imperative to avoid inconsistencies. No matter how many people are behind the brand voice, the brand must show a unique, distinctive personality. As for the tone, it may vary according to circumstances, from lighter to more serious.

    Up to 80% Increased customer recognition when the brand uses a signature color scheme across multiple platforms
    Source: startup Bonsai
    23% of revenue increase is what consistent branding across channels leads to.
    Source: Harvard Business Review

    When we close our eyes and listen, we all recognize Ella Fitzgerald's rich and unique singing voice.

    We expect to recognize the writing of Stephen King when we read his books. For the brand's voice, it's the same. People want to be able to recognize it.

    Adopt a more human-centric approach

    If your brand was a person, who would it be?

    Human attributes

    Physically attractive

    • Brand identity
    • Logo and tagline
    • Product design

    Intellectually stimulating

    • Knowledge and ideas
    • Continuous innovation
    • Thought leadership

    Sociable

    • Friendly, likeable and fun
    • Confidently engage with audience through multiple touchpoints
    • Posts and shares meaningful content
    • Responsive

    Emotionally connected

    • Inspiring
    • Powerful influencer
    • Triggers emotional reactions

    Morally sound

    • Ethical and responsible
    • Value driven
    • Deliver on its promise

    Personable

    • Honest
    • Self-confident and motivated
    • Accountable

    0.05 Seconds is what it takes for someone to form an opinion about a website, and a brand.
    Source: 8ways

    90% of the time, our initial gut reaction to products is based on color alone.
    Source: startup Bonsai

    56% of the final b2b purchasing decision is based on emotional factors.
    Source: B@B International

    Put values at the heart of the brand-buyers relationship

    Highlight values that will resonate with your audience.

    Brands that focus on the values they share with their buyers, rather than simply on a product or service, succeed in making meaningful emotional connections with them and keep them actively engaged.

    Shared values such as transparency, sustainability, diversity, environmental protection, and social responsibility become the foundation of a solid relationship between a brand and its audience.

    The key is to know what motivates the target audience.

    86% of consumers claim that authenticity is one of the key factors they consider when deciding which brands they like and support.
    Source: Business Wire

    56% of the final decision is based on having a strong emotional connection with the supplier.
    Source: B2B International

    64% of today's customers are belief-driven buyers; they want to support brands that "can be a powerful force for change."
    Source: Edelman

    "If people believe they share values with a company, they will stay loyal to the brand."
    – Howard Schultz
    Source: Lokus Design

    Double-down on digital

    Develop your digital presence and reach out to your target audiences through multiple touchpoints.

    Beyond engaging content, reaching the target audience requires brands to connect and interact with their audience in multiple ways so that potential buyers can form an opinion.

    With the right message consistently delivered across multiple channels, brands increase their reach, create a buzz around their brand and raise awareness.

    73% of today's consumers confirm they use more than one channel during a shopping journey
    Source: Harvard Business Review

    Platforms

    • Website and apps
    • Social media
    • Group discussions

    Multimedia

    • Webinars
    • Podcasts
    • Publication

    Campaign

    • Ads and advertising
    • Landing pages
    • Emails, surveys drip campaigns

    Network

    • Tradeshows, events, sponsorships
    • Conferences, speaking opportunities
    • Partners and influencers

    Use social media to connect

    Reach out to the masses with a social media presence.

    Social media platforms represent a cost-effective opportunity for businesses to connect and influence their audience and tell their story by posting relevant and search-engine-optimized content regularly on their account and groups. It's also a nice gateway to their website.

    Building a relationship with their target buyer through social media is also an easy way for businesses to:

    • Understand the buyers.
    • Receive feedback on how the buyers perceive the brand and how to improve it.
    • Show great user experience and responsiveness.
    • Build trust.
    • Create awareness.

    75% of B2B buyers and 84% of C-Suite executives use social media when considering a purchase
    Source: LinkedIn Business

    92% of B2B buyers use social media to connect with leaders in the sales industry.
    Source: Techjury

    With over 4.5 billion social media users worldwide, and 13 new users signing up to their first social media account every second, social media is fast becoming a primary channel of communication and social interaction for many.
    Source: McKinsey

    Become the expert subject matter

    Raise awareness with thought leadership content.

    Thought leadership is about building credibility
    by creating and publishing meaningful, relevant content that resonates with a target audience.
    Thought leaders write and publish all kinds of relevant content such as white papers, ebooks, case studies, infographics, video and audio content, webinars, and research reports.
    They also participate in speaking opportunities, live presentations, and other high-visibility forums.
    Well-executed thought leadership strategies contribute to:

    • Raise awareness.
    • Build credibility.
    • Be recognized as a subject expert matter.
    • Become an industry leader.

    60% of buyers say thought leadership builds credibility when entering a new category where the brand is not already known.
    Source: Edelman | LinkedIn

    70% of people would rather learn about a company through articles rather than advertising.
    Source: Brew Interactive

    57% of buyers say that thought leadership builds awareness for a new or little-known brand.
    Source: Edelman | LinkedIn

    To achieve best results

    • Know the buyers' persona and journey.
    • Create original content that matches the persona of the target audience and that is close to their values.
    • Be Truthful and insightful.
    • Find the right tone and balance between being human-centric, authoritative, and bold.
    • Be mindful of people's attention span and value their time.
    • Create content for each phase of the buyer's journey.
    • Ensure content is SEO, keyword-loaded, and add calls-to-action (CTAs).
    • Add reason to believe, data to support, and proof points.
    • Address the buyers' pain points in a unique way.

    Avoid

    • Focusing on product features and on selling.
    • Publishing generic content.
    • Using an overly corporate tone.

    Promote personal branding

    Rely on your most powerful brand ambassadors and influencers: your employees.

    The strength of personal branding is amplified when individuals and companies collaborate to pursue personal branding initiatives that offer mutual benefits. By training and positioning key employees as brand ambassadors and industry influencers, brands can boost their brand awareness through influencer marketing strategies.

    Personal branding, when well aligned with business goals, helps brands leverage their key employee's brands to:

    • Increase the organization's brand awareness.
    • Broaden their reach and circle of influence.
    • Show value, gain credibility, and build trust.
    • Stand out from the competition.
    • Build employee loyalty and pride.
    • Become a reference to other businesses.
    • Increase speaking opportunities.
    • Boost qualified leads and sales.

    About 90% of organizations' employee network tends to be completely new to the brand.
    Source: Everyone Social

    8X more engagement comes from social media content shared by employees rather than brand accounts.
    Source: Entrepreneur

    561% more reach when brand messages are shared by employees on social media, than the same message shared by the Brand's social media.
    Source: Entrepreneur

    "Personal branding is the art of becoming knowable, likable and trustable."
    Source: Founder Jar, John Jantsch

    Invest in B2B influencer marketing

    Broaden your reach and audiences by leveraging the voice of influencers.

    Influencers are trusted industry experts and analysts who buyers can count on to provide reliable information when looking to make a purchase.

    Influencer marketing can be very effective to reach new audiences, increase awareness, and build trust. But finding the right influencers with the level of credibility and visibility brands are expecting can sometimes be challenging.

    Search for influencers that have:

    • Relevance of audience and size.
    • Industry expertise and credibility.
    • Ability to create meaningful content (written, video, audio).
    • Charismatic personality with values consistent with the brand.
    • Frequent publications on at least one leading media platform.

    76% of people say that they trust content shared by people over a brand.
    Source: Adweek


    44% increased media mention of the brand using B2B influencer marketers.
    Source: TopRank Marketing

    Turn your customers into brand advocates

    Establish customer advocacy programs and deliver a great customer experience.

    Retain your customers and turn them into brand advocates by building trust, providing an exceptional experience, and most importantly, continuously delivering on the brand promise.

    Implement a strong customer advocacy program, based on personalized experiences, the value provided, and mutual exchange, and reap the benefits of developing and growing long-term relationships.

    92% of individuals trust word-of-mouth recommendations, making it one of the most trust-rich forms of advertising.
    Source: SocialToaster

    Word-of-mouth (advocacy) marketing increases marketing effectiveness by 54%
    Source: SocialToaster

    Make your brand known and make it stick in people's minds

    Building and maintaining high brand awareness requires that each individual within the organization carry and deliver the brand message clearly and consistently across all media whether in person, in written communications, or otherwise.

    To achieve this, brand leaders must first develop a powerful, researched narrative that people will embrace and convey, which requires careful preparation.

    Target market and audience intel

    • Target market Intel
    • Buyer persona and journey/pain points
    • Uniqueness and positioning

    Brand attributes

    • Values at the heart of the relationship
    • Brand's human attributes

    Brand visibly and recall

    • Digital and social media presence
    • Thought leadership
    • Personal branding
    • Influencer marketing

    Brand awareness building plan

    • Long-term awareness and multi-touchpoint approach
    • Monitoring and optimization

    Short and long-term benefits of increasing brand awareness

    Brands are built over the long term but the rewards are high.

    • Stronger brand perception
    • Improved engagement and brand associations
    • Enhanced credibility, reputation, and trust
    • Better connection with customers
    • Increased repeat business
    • High-quality leads
    • Higher and faster conversion rate
    • More sales closed/ deals won
    • Greater brand equity
    • Accelerated growth

    "Strong brands outperform their less recognizable competitors by as much as 73%."
    Source: McKinsey

    Brand awareness building

    Building brand awareness, even though immediate benefits are often difficult to see and measure, is essential for companies to stand out from their competitors and continue to grow in a sustainable way.

    To successfully raise awareness, brands need to have:

    • A longer-term vision and strategy.
    • Market Intelligence, a clear value proposition, and key differentiator.
    • Consistent, well-aligned messaging and storytelling.
    • Digital presence and content.
    • The ability to reach out through multiple touchpoints.
    • Necessary resources.

    Without brand awareness, brands become less attractive to buyers, talent, and investors, and their ability to grow, increase their market value, and be sustainable is reduced.

    Brand awareness building methodology

    Define brands' personality and message

    • Gather market intel and analyze the market.
    • Determine the value proposition and positioning.
    • Define the brand archetype and voice.
    • Craft a compelling brand message and story.
    • Get all the key elements of your brand guidelines.

    Start building brand awareness

    • Achieve strategy alignment and readiness.
    • Create and manage assets.
    • Deploy your tactics, assets, and workflows.
    • Establish key performance indicators (KPIs).
    • Monitor and optimize on an ongoing basis.

    Toolkit

    • Market and Influencing Factors Analysis
    • Recognition Survey and Best Practices
    • Buyer Personas and Journeys
    • Purpose, Mission, Vision, Values
    • Value Proposition and Positioning
    • Brand Message, Voice, and Writing Style
    • Brand Strategy and Tactics
    • Asset Creation and Management
    • Strategy Rollout Plan

    Short and long-term benefits of increasing brand awareness

    Increase:

    • Brand perception
    • Brand associations and engagement
    • Credibility, reputation, and trust
    • Connection with customers
    • Repeat business
    • Quality leads
    • Conversion rate
    • Sales closed / deals won
    • Brand equity and growth

    It typically takes 5-7 brand interactions before a buyer remembers the brand.
    Source: Startup Bonsai

    Who benefits from this brand awareness research?

    This research is being designed for:
    Brand and marketing leaders who:

    • Know that brand awareness is essential to the success of all marketing and sales activities.
    • Want to make their brand unique, recognizable, meaningful, and highly visible.
    • Seek to increase their digital presence, connect and engage with their target audience.
    • Are looking at reaching a new segment of the market.

    This research will also assist:

    • Sales with qualified lead generation and customer retention and loyalty.
    • Human Resources in their efforts to attract and retain talent.
    • The overall business with growth and increased market value.

    This research will help you:

    • Gain market intelligence and a clear understanding of the target audience's needs and trends, competitive advantage, and key differentiator.
    • The ability to develop clear and compelling, human-centric messaging and compelling story driven by brand values.
    • Increase online presence and brand awareness activities to attract and engage with buyers.
    • Develop a long-term brand awareness strategy and deployment plan.

    This research will help them:

    • Increase campaign ROI.
    • Develop a longer-term vision and benefits of investing in longer-term initiatives.
    • Build brand equity and increase business valuation.
    • Grow your business in a more sustainable way.

    SoftwareReviews' brand awareness building methodology

    Phase 1 Define brands' personality and message

    Phase 2 Start building brand awareness

    Phase steps

    1.1 Gather market intelligence and analyze the market.

    1.2 Develop and document the buyer's persona and journey.

    1.3 Uncover the brand mission, vision statement, core values, value proposition and positioning.

    1.4 Define the brand's archetype and tone of voice, then craft a compelling brand messaging.

    2.1 Achieve strategy alignment and readiness.

    2.2 Create assets and workflows and deploy tactics.

    2.3 Establish key performance indicators (KPIs), monitor, and optimize on an ongoing basis.

    Phase outcomes

    • Target market and audience are identified and documented.
    • A clear value proposition and positioning are determined.
    • The brand personality, voice, and messaging are developed.
    • All the key elements of the brand guidelines are in place and ready to use, along with the existing logo, typography, color palette, and imagery.
    • A comprehensive and actionable brand awareness strategy, with tactics, KPIs, and metrics, is set and ready to execute.
    • A progressive and effective deployment plan with deliverables, timelines, workflows, and checklists is in place.
    • Resources are assigned.

    Insight summary

    Brands to adapt their strategies to achieve longer-term growth
    Brands must adapt and adjust their strategies to attract informed buyers who have access to a wealth of products, services, and brands from all over. Building brand awareness, even though immediate benefits are often difficult to see and measure, has become essential for companies that want to stand out from their competitors and continue to grow in a sustainable way.

    A more human-centric approach
    Brand personalities matter. Brands placing human values at the heart of the customer-brand relationship will drive interest in their brand and build trust with their target audience.

    Stand out from the crowd
    Brands that develop and promote a clear and consistent message across all platforms and channels, along with a unique value proposition, stand out from their competitors and get noticed.

    A multi-touchpoints strategy
    Engage buyers with relevant content across multiple media to address their pain points. Analyze touchpoints to determine where to invest your efforts.

    Going social
    Buyers expect brands to be active and responsive in their interactions with their audience. To build awareness, brands are expected to develop a strong presence on social media by regularly posting relevant content, engaging with their followers and influencers, and using paid advertising. They also need to establish thought leadership through content such as white papers, case studies, and webinars.

    Thought leaders wanted
    To enhance their overall brand awareness strategy, organizations should consider developing the personal brand of key executives. Thought leadership can be a valuable method to gain credibility, build trust, and drive conversion. By establishing thought leadership, businesses can increase brand mentions, social engagement, website traffic, lead generation, return on investment (ROI), and Net Promoter Score (NPS).

    Save time and money with SoftwareReviews' branding advice

    Collaborating with SoftwareReviews analysts for inquiries not only provides valuable advice but also leads to substantial cost savings during branding activities, particularly when partnering with an agency.

    Guided Implementation Purpose Measured Value
    Build brands' personality and message Get the key elements of the brand guidelines in place and ready to use, along with your existing logo, typography, color palette, and imagery, to ensure consistency and clarity across all brand touchpoints from internal communication to customer-facing materials. Working with SoftwareReviews analysts to develop brand guidelines saves costs compared to hiring an agency.

    Example: Building the guidelines with an agency will take more or less the same amount of time and cost approximately $80K.

    Start building brand awareness Achieve strategy alignment and readiness, then deploy tactics, assets, and other deliverables. Start building brand awareness and reap the immediate and long-term benefits.

    Working with SoftwareReviews analysts and your team to develop a long-term brand strategy and deployment will cost you less than a fraction of the cost of using an agency.

    Example: Developing and executing long-term brand awareness strategies with an agency will cost between $50-$75K/month over a 24-month period minimum.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1

    Build brands' personality and message

    Phase 2

    Start building brand awareness

    • Call #1: Discuss concept and benefits of building brand awareness. Identify key stakeholders. Anticipate concerns and objections.
    • Call #2: Discuss target market intelligence, information gathering, and analysis.
    • Call #3: Review market intelligence information. Address questions or concerns.
    • Call #4: Discuss value proposition and guide to find positioning and key differentiator.
    • Call #5: Review value proposition. Address questions or concerns.
    • Call #6: Discuss how to build a comprehensive brand awareness strategy using SR guidelines and template.
    • Call #7: Review strategy. Address questions or concerns.
    • Call #8: Second review of the strategy. Address questions or concerns.
    • Call #9 (optional): Third review of the strategy. Address questions or concerns.
    • Call #10: Discuss how to build the Execution Plan using SR template.
    • Call #11: Review Execution Plan. Address questions or concerns.
    • Call #12: Second review of the Execution Plan. Address questions or concerns.
    • Call #13 (optional): Third review of the Execution Plan. Address questions or concerns.
    • Call #14: Discuss how to build a compelling storytelling and content creation.
    • Call #15: Discuss website and social media platforms and other initiatives.
    • Call #16: Discuss marketing automation and continuous monitoring.
    • Call #17 (optional): Discuss optimization and reporting
    • Call #18: Debrief and determine how we can help with next steps.

    A Guided Implementation (GI) is a series of calls with a SoftwareReviews Marketing Analyst to help implement our best practices in your organization.

    Your engagement managers will work with you to schedule analyst calls.

    Brand awareness building tools

    Each step of this blueprint comes with tools to help you build brand awareness.

    Brand Awareness Tool Kit

    This kit includes a comprehensive set of tools to help you better understand your target market and buyers, define your brand's personality and message, and develop an actionable brand awareness strategy, workflows, and rollout plan.

    The set includes these templates:
    • Market and Influencing Factors Analysis
    • Recognition Survey and Best Practices
    • Buyer Personas and Journeys
    • Purpose, Mission, Vision, and Values
    • Value Proposition and Positioning
    • Brand Message, Voice, and Writing Style
    • Brand Strategy and Tactics
    • Asset Creation and Management
    • Strategy Rollout Plan
    An image of a series of screenshots from the templates listed in the column to the left of this image.

    Get started!

    Know your target market and audience, deploy well-designed strategies based on shared values, and make meaningful connections with people.

    Phase 1

    Define brands' personality and message

    Phase 2

    Start building brand awareness

    Phase 1

    Define brands' personality and message

    Steps

    1.1 Gather market intelligence and analyze the market.
    1.2 Develop and document the buyer's persona and journey.
    1.3 Uncover the brand mission, vision statement, core values, positioning, and value proposition.
    1.4 Define the brand's archetype and tone of voice, then craft a compelling brand messaging.

    Phase outcome

    • Target market and audience are identified and documented.
    • A clear value proposition and positioning are determined.
    • The brand personality, voice, and messaging are developed.
    • All the key elements of the brand guidelines are in place. and ready to use, along with the existing logo, typography, color palette, and imagery..

    Build brands' personality and message

    Step 1.1 Gather market intelligence and analyze the market.

    Total duration: 2.5-8 hours

    Objective

    Analyze and document your competitive landscape, assess your strengths, weaknesses, opportunities,
    and threats, gauge the buyers' familiarity with your brand, and identify the forces of influence.

    Output

    This exercise will allow you to understand your market and is essential to developing your value proposition.

    Participants

    • Head of branding and key stakeholders

    MarTech
    May require you to:

    • Register to a Survey Platform.
    • Use, setup, or install platforms like CRM and/or Marketing Automation Platform.

    Tools

    1.1.1 SWOT and competitive landscape

    (60-120 min.)

    Analyze & Document

    Follow the instructions in the Market Analysis Template to complete the SWOT and Competitive Analysis, slides 4 to 7.

    1.1.3 Internal and External Factors

    (30-60 min.)

    Analyze

    Follow the instructions in the External and Internal Factors Analysis Template to perform the PESTLE, Porter's 5 Forces, and Internal Factors and VRIO Analysis.

    Transfer

    Transfer key information into slides 10 and 11 of the Market Analysis Template.

    Consult SoftwareReviews website to find the best survey and MarTech platforms or contact one of our analysts for more personalized assistance and guidance

    1.1.2 Brand recognition

    (60-300 min.)

    Prep

    Adapt the survey and interview questions in the Brand Recognition Survey Questionnaire and List Template.

    Determine how you will proceed to conduct the survey and interviews (internal or external resources, and tools).

    Refer to the Survey Emails Best Practices Guidelines for more information on how to conduct email surveys.

    Collect & Analyze

    Use the Brand Recognition Survey Questionnaire and List Template to build your list, conduct the survey /interviews, and collect and analyze the feedback received.

    Transfer

    Transfer key information into slides 8 and 9 of the Market Analysis Template.

    Brand performance diagnostic

    Have you considered diagnosing your brand's current performance before you begin building brand awareness?

    Audit your brand using the Diagnose Brand Health to Improve Business Growth blueprint.Collect and interpret qualitative and quantitative brand performance measures.

    The toolkit includes the following templates:

    • Surveys and interviews questions and lists
    • External and internal factor analysis
    • Digital and financial metrics analysis

    Also included is an executive presentation template to communicate the results to key stakeholders and recommendations to fix the uncovered issues.

    Build brands' personality and message

    Step 1.2 Develop and document the buyer's persona and journey.

    Total duration: 4-8 hours

    Objective

    Gather existing and desired customer insights and conduct market research to define and personify your buyers' personas and their buying behaviors.

    Output

    Provide people in your organization with clear direction on who your target buyers are and guidance on how to effectively reach and engage with them throughout their journey.
    Participants

    • Head of branding
    • Key stakeholders from sales and product marketing

    MarTech
    May require you to:

    • Register to an Online Survey Platform (free version or subscription).
    • Use, setup, or installation of platforms like CRM and/or Marketing Automation Platform.

    Tools

    1.2.1 Buyer Personas and Journeys

    (240-280 min.)

    Research

    Identify your tier 1 to 3 customers using the Ideal Client Profile (ICP) Workbook. (Recommended)

    Survey and interview existing and desired customers based using the Buyer Persona and Journey Interview Guide and Data Capture Tool. (Recommended)

    Create

    Define and document your tier 1 to 3 Buyer Personas and Journeys using the Buyer Personas and Journeys Presentation Template.

    Consult SoftwareReviews website to find the best survey platform for your needs or contact one of our analysts for more personalized assistance and guidance

    Buyer Personas and Journeys

    A well-defined buyer persona and journey is a great way for brands to ensure they are effectively reaching and engaging their ideal buyers through a personalized buying experience.

    When properly documented, it provides valuable insights about the ideal customers, their needs, challenges, and buying decision processes allowing the development of initiatives that correspond to the target buyers.

    Build brands' personality and message

    Step 1.3 Uncover the brand mission, vision statement, core values, value proposition, and positioning.

    Total duration: 4-5.5 hours

    Objective
    Define the "raison d'être" and fundamental principles of your brand, your positioning in the marketplace, and your unique competitive advantage.

    Output
    Allows everyone in an organization to understand and align with the brand's raison d'être beyond the financial dimension, its current positioning and objectives, and how it intends to achieve them.
    It also serves to communicate a clear and appealing value proposition to buyers.

    Participants

    • Head of branding
    • Chief Executive Officer (CEO)
    • Key stakeholders

    Tools

    • Brand Purpose, Mission, Vision, and Values Template
    • Value Proposition and Positioning Statement Template

    1.3.1 Brand Purpose, Mission, Vision, and Values

    (90-120 min.)

    Capture or Develop

    Capture or develop, if not already existing, your brand's purpose, mission, vision statement, and core values using slides 4 to 7 of the Brand Purpose, Mission, Vision, and Values Template.

    1.3.2 Brand Value Proposition and Positioning

    (150-210 min.)

    Define

    Map the brand value proposition using the canvas on slide 5 of the Value Proposition and Positioning Statement Template, and clearly articulate your value proposition statement on slide 4.

    Optional: Use canvas on slide 7 to develop product-specific product value propositions.

    On slide 8 of the same template, develop your brand positioning statement.

    Build brands' personality and message

    Steps 1.4 Define the brand's archetype and tone of voice, and craft a compelling brand messaging.

    Total duration: 5-8 hours

    Objective

    Define your unique brand voice and develop a set of guidelines, brand story, and messaging to ensure consistency across your digital and non-digital marketing and communication assets.
    Output

    A documented brand personality and voice, as well as brand story and message, will allow anyone producing content or communicating on behalf of your brand to do it using a unique and recognizable voice, and convey the right message.

    Participants

    • Head of branding
    • Content specialist
    • Chief Executive Officer and other key stakeholders

    Tools

    • Brand Voice Guidelines Template
    • Writing Style Guide Template
    • Brand Messaging Template
    • Writer Checklist Template

    1.4.1 Brand Archetype and Tone of Voice

    (120-240 min.)

    Define and document

    Refer to slides 5 and 6 of the Brand Voice Guidelines Template to define your brand personality (archetype), slide 7.

    Use the Brand Voice Guidelines Template to define your brand tone of voice and characteristics on slides 8 and 9, based on the 4 primary tone of voice dimensions, and develop your brand voice chart, slide 9.

    Set Rules

    In the Writing Style Guide template, outline your brand's writing principles, style, grammar, punctuation, and number rules.

    1.4.2 Brand Messaging

    (180-240 min.)

    Craft

    Use the Brand Messaging template, slides 4 to 7, to craft your brand story and message.

    Audit

    Create a content audit to review and approve content to be created prior to publication, using the Writer's Checklist template.

    Important Tip!

    A consistent brand voice leads to remembering and trusting the brand. It should stand out from the competitors' voices and be meaningful to the target audience. Once the brand voice is set, avoid changing it.

    Phase 2

    Start building brand awareness

    Steps

    2.1 Achieve strategy alignment and readiness.
    2.2 Create assets and workflows, and deploy tactics.
    2.3 Establish key performance indicators (KPIs), monitor, and optimize on an ongoing basis.

    Phase outcome

    • A comprehensive and actionable brand awareness strategy, with tactics, KPIs, and metrics, is set and ready to execute.
    • A progressive and effective deployment plan with deliverables, timelines, workflows, and checklists is in place.
    • Resources are assigned.

    Start building brand awareness

    Step 2.1 Achieve strategy readiness and alignment.

    Total duration: 4-5 hours

    Objective

    Now that you have all the key elements of your brand guidelines in place, in addition to your existing logo, typography, color palette, and imagery, you can begin to build brand awareness.

    Start planning to build brand awareness by developing a comprehensive and actionable brand awareness strategy with tactics that align with the company's purpose and objectives. The strategy should include achievable goals and measurables, budget and staffing considerations, and a good workload assessment.

    Output

    A comprehensive long-term, actionable brand awareness strategy with KPIs and measurables.

    Participants

    • Head of branding
    • Key stakeholders

    Tools

    • Brand Awareness Strategy and Tactics Template

    2.1.1 Brand Awareness Analysis

    (60-120 min.)

    Identify

    In slide 5 of the Brand Awareness Strategy and Tactics Template, identify your top three brand awareness drivers, opportunities, inhibitors, and risks to help you establish your strategic objectives in building brand awareness.

    2.1.2 Brand Awareness Strategy

    (60-120 min.)

    Elaborate

    Use slides 6 to 10 of the Brand Awareness Strategy and Tactics Template to elaborate on your strategy goals, key issues, and tactics to begin or continue building brand awareness.

    2.1.3 Brand Awareness KPIs and Metrics

    (180-240 min.)

    Set

    Set the strategy performance metrics and KPIs on slide 11 of the Brand Awareness Strategy and Tactics Template.

    Monitor

    Once you start executing the strategy, monitor and report each quarter using slides 13 to 15 of the same document.

    Understanding the difference between strategies and tactics

    Strategies and tactics can easily be confused, but although they may seem similar at times, they are in fact quite different.

    Strategies and tactics are complementary.

    A strategy is a plan to achieve specific goals, while a tactic is a concrete action or set of actions used to implement that strategy.

    To be effective, brand awareness strategies should be well thought-out, carefully planned, and supported by a series of tactics to achieve the expected outcomes.

    Start building brand awareness

    Step 2.2 Create assets and workflows and deploy tactics.

    Total duration: 3.5-4.5 hours

    Objective

    Build a long-term rollout with deliverables, milestones, timelines, workflows, and checklists. Assign resources and proceed to the ongoing development of assets. Implement, manage, and continuously communicate the strategy and results to key stakeholders.

    Output

    Progressive and effective development and deployment of the brand awareness-building strategy and tactics.

    Participants

    • Head of branding

    Tools

    • Asset Creation and Management List
    • Campaign Workflows Template
    • Brand Awareness Strategy Rollout Plan Template

    2.2.1 Assets Creation List

    (60-120 min.)

    Inventory

    Inventory existing assets to create the Asset Creation and Management List.

    Assign

    Assign the persons responsible, accountable, consulted, and informed of the development of each asset, using the RACI model in the template. Ensure you identify and collaborate with the right stakeholders.

    Prioritize

    Prioritize and add release dates.

    Communicate

    Update status and communicate regularly. Make the list with links to the assets available to the extended team to consult as needed.

    2.2.2 Rollout Plan

    (60-120 min.)

    Inventory

    Map out your strategy deployment in the Brand Awareness Strategy Rollout Plan Template and workflow in the Campaign Workflow Template.

    Assign

    Assign the persons responsible, accountable, consulted, and informed for each tactic, using the RACI model in the template. Ensure you identify and collaborate with the right stakeholders.

    Prioritize

    Prioritize and adjust the timeline accordingly.

    Communicate

    Update status and communicate regularly. Make the list with links to the assets available to the extended team to consult as needed.

    Band Awareness Strategy Rollout Plan
    A strategy rollout plan typically includes the following:

    • Identifying a cross-functional team and resources to develop the assets and deploy the tactics.
    • Listing the various assets to create and manage.
    • A timeline with key milestones, deadlines, and release dates.
    • A communication plan to keep stakeholders informed and aligned with the strategy and tactics.
    • Ongoing performance monitoring.
    • Constant adjustments and improvements to the strategy based on data collected and feedback received.

    Start building brand awareness

    Step 2.3 Establish key performance indicators (KPIs), monitor, and optimize on an ongoing basis.

    Total duration: 3.5-4.5 hours

    Objective

    Brand awareness is built over a long period of time and must be continuously monitored in several ways. Measuring and monitoring the effectiveness of your brand awareness activities will allow you to constantly adjust your tactics and continue to build awareness.

    Output

    This step will provide you with a snapshot of your current level of brand awareness and interactions with the brand, and allow you to set up the tools for ongoing monitoring and optimization.

    Participants

    • Head of branding
    • Digital marketing manager

    MarTech
    May require you to:

    • Register to an Online Survey Platform(free version or subscription), or
    • Use, setup, or installation of platforms like CRM and/or Marketing Automation Platform.
    • Use Google Analytics or other tracking tools.
    • Use social media and campaign management tools.

    Tools

    • Brand Awareness Strategy and Tactics Template

    2.2.2 Rollout Plan

    (60-120 min.)

    Measure

    Monitor and record the strategy performance metrics in slides 12 to 15 of the Brand Awareness Strategy and Tactics template, and gauge its performance against preset KPIs in slide 11. Make ongoing improvements to the strategy and assets.

    Communicate

    The same slides in which you monitor strategy performance can be used to report on the results of the current strategy to key stakeholders on a monthly or quarterly basis, as appropriate.

    Take this opportunity to inform stakeholders of any adjustments you plan to make to the existing plan to improve its performance. Since brand awareness is built over time, be sure to evaluate the results based on how long the strategy has been in place before making major changes.

    Consult SoftwareReviews website to find the best survey, brand monitoring and feedback, and MarTech platforms, or contact one of our analysts for more personalized assistance and guidance

    Measuring brand strategy performance
    There are two ways to measure and monitor your brand's performance on an ongoing basis.

    • By registering to brand monitoring and feedback platforms and tools like Meltwater, Hootsuite, Insights, Brand24, Qualtrics, and Wooltric.
    • Manually, using native analytics built in the platforms you're already using, such as Google and Social Media Analytics, or by gathering customer feedback through surveys, or calculating CAC, ROI, and more in spreadsheets.

    SoftwareReviews can help you choose the right platform for your need. We also equip you with manual tools, available with the Diagnose Brand Health to Improve Business Growthblueprint to measure:

    • Surveys and interviews questions and lists.
    • External and internal factor analysis.
    • Digital and financial metrics analysis.
    • Executive presentation to report on performance.

    Related SoftwareReviews research

    An image of the title page for SoftwareReviews Create a Buyer Persona and Journey. An image of the title page for SoftwareReviews Diagnose Brand Health to Improve Business Growth.

    Create a Buyer Persona and Journey

    Get deeper buyer understanding and achieve product-market fit, with easier access to market and sales

    • Reduce time and resources wasted chasing the wrong prospects.
    • Increase open and click-through rates.
    • Perform more effective sales discovery.
    • Increase win rate.

    Diagnose Brand Health to Improve Business Growth

    Have a significant and well-targeted impact on business success and growth by knowing how your brand performs, identifying areas of improvement, and making data-driven decisions to fix them.

    • Increase brand awareness and equity.
    • Build trust and improve customer retention and loyalty.
    • Achieve higher and faster growth.

    Bibliography

    Aaker, David. "Managing Brand Equity." Simon & Schuster, 1991.
    "6 Factors for Brands to Consider While Designing Their Communication." Lokus Design, 23 Sept. 2022.
    "20 Advocacy Marketing Statistics You Need to Know." Social Toaster, n.d.
    Bazilian, Emma. "How Millennials and Baby Boomers Consume User-Generated Content And what brands can learn from their preferences." Adweek, January 2, 2017.
    B2B International, a Gyro: company, B2B Blog - Why Human-To-Human Marketing Is the Next Big Trend in a Tech-Obsessed World.
    B2B International, a Gyro: company, The State of B2B Survey 2019 - Winning with Emotions: How to Become Your Customer's First Choice.
    Belyh, Anastasia. "Brand Ambassador 101:Turn Your Personal Brand into Cash." Founder Jar, December 6, 2022.
    Brand Master Academy.com.
    Businesswire, a Berkshire Hathaway Company, "Stackla Survey Reveals Disconnect Between the Content Consumers Want & What Marketers Deliver." February 20, 2019.
    Chamat, Ramzi. "Visual Design: Why First Impressions Matter." 8 Ways, June 5, 2019.
    Cognism. "21 Tips for Building a LinkedIn Personal Brand (in B2B SaaS)."
    Curleigh, James. "How to Enhance and Expand a Global Brand." TED.
    "2019 Edelman Trust Barometer." Edelman.
    Erskine, Ryan. "22 Statistics That Prove the Value of Personal Branding." Entrepreneur, September 13, 2016.
    Forbes, Steve. "Branding for Franchise Success: How To Achieve And Maintain Brand Consistency Across A Franchise Network?" Forbes, 9 Feb. 2020.
    Godin, Seth. "Define: Brand." Seth's Blog, 30 Dec. 2009,
    Houragan, Stephen. "Learn Brand Strategy in 7 Minutes (2023 Crash Course)." YouTube.
    Jallad, Revecka. "To Convert More Customers, Focus on Brand Awareness." Forbes, October 22, 2019.
    Kingsbury, Joe, et al. "2021 B2B Thought Leadership Impact Study." Edelman, 2021.
    Kunsman, Todd. "The Anatomy of an Employee Influencer." EveryoneSocial, September 8, 2022.
    Landor, Walter. A Brand New World: The Fortune Guide to the 21st Century. Time Warner Books, 1999.
    Liedke, Lindsay. "37+ Branding Statistics For 2023: Stats, Facts & Trends." Startup Bonsai, January 2, 2023.
    Millman, Debbie. "How Symbols and Brands Shape our Humanity." TED, 2019.
    Nenova, Velina. "21 Eye-Opening B2B Marketing Statistics to Know in 2023." Techjury, February 9, 2023.
    Perrey, Jesko et al., "The brand is back: Staying relevant in an accelerating age." McKinsey & Company, May 1, 2015.
    Schaub, Kathleen. "Social Buying Meets Social Selling: How Trusted Networks Improve the Purchase Experience." LinkedIn Business, April 2014.
    Sopadjieva, Emma et al. "A Study of 46,000 Shoppers Shows That Omnichannel Retailing Works." Harvard Business Review, January 3, 2017.
    Shaun. "B2B Brand Awareness: The Complete Guide 2023." B2B House. 2023.
    TopRank Marketing, "2020 State of B2B Influencer Marketing Research Report." Influencer Marketing Report.

    Help Managers Inform, Interact, and Involve on the Way to Team Engagement

    • Buy Link or Shortcode: {j2store}595|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Employee Development
    • Parent Category Link: /train-and-develop
    • Employee engagement impacts a company’s bottom line as well as the quality of work life for employees.
    • Employee engagement surveys often fail to provide the value you are hoping for because they are treated like an annual project that quickly loses steam.
    • The responsibility for fixing the issues identified falls to HR, and ultimately HR has very little control over an employee’s concerns with their day-to-day role.

    Our Advice

    Critical Insight

    • HR and the executive team have been exclusively responsible for engagement for too long. Since managers have the greatest impact on employees, they should also be primarily responsible for employee engagement.
    • In most organizations, managers underestimate the impact they can have on employee engagement, and assume that the broader organization will take more meaningful action.
    • Improving employee engagement may be as simple as improving the frequency and quality of the “3Is”: informing employees about the why behind decisions, interacting with them on a personal level, and involving them in decisions that affect them.

    Impact and Result

    • Managers have the greatest impact on employee engagement as they are in a unique situation to better understand what makes employees tick.
    • If employees have a good relationship with their manager, they are much more likely to be engaged at work which ultimately leads to increases in revenue, profit, and shareholder return.

    Help Managers Inform, Interact, and Involve on the Way to Team Engagement Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Get more involved in analyzing and improving team engagement

    Improve employee engagement and ultimately the organization’s bottom line.

    • Storyboard: Help Managers Inform, Interact, and Involve on the Way to Team Engagement

    2. Gather feedback from employees

    Have a productive engagement feedback discussion with teams.

    • Engagement Feedback Session Agenda Template

    3. Engage teams to improve engagement

    Facilitate effective team engagement action planning.

    • Action Planning Worksheet

    4. Gain insight into what engages and disengages employees

    Solicit employee pain points that could potentially hinder their engagement.

    • Stay Interview Guide

    5. Get to know new hires on a more personal level

    Develop a stronger relationship with employees to drive engagement.

    • New Hire Conversation Guide
    [infographic]

    Accelerate Your Automation Processes

    • Buy Link or Shortcode: {j2store}485|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk

    Your organization needs to:

    • Define an automation suite for the business.
    • Specify the business goals for your automation suite.
    • Roadmap your automation modules to continually grow your automation platform.
    • Identify how an automation suite can help the organization improve.

    Our Advice

    Critical Insight

    Start small and do it right:

    • Assess if a particular solution works for your organization and continually invest in it if it does before moving onto the next solution.
    • Overwhelming your organization with a plethora of automation solutions can lead to a lack of management for each solution and decrease your overall return on investment.

    Impact and Result

    • Define your automation suite in terms of your business goals.
    • Take stock of what you have now: RPA, AIOps, chatbots.
    • Think about how to integrate and optimize what you have now, as well as roadmap your continual improvement.

    Accelerate Your Automation Processes Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to find out why your organization should accelerate your automation processes, review Info-Tech’s methodology, and understand the ways Info-Tech can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Discover automation suite possibilities

    Take hold of your current state and assess where you would like to improve. See if adding a new automation module or investing in your current modules is the right decision.

    • Automation Suite Maturity Assessment Tool

    2. Chart your automation suite roadmap

    Build a high-level roadmap of where you want to bring your organization's automation suite in the future.

    • Automation Suite Roadmap Tool
    [infographic]

    Determine Your Zero Trust Readiness

    • Buy Link or Shortcode: {j2store}249|cart{/j2store}
    • member rating overall impact (scale of 10): 9.8/10 Overall Impact
    • member rating average dollars saved: $24,574 Average $ Saved
    • member rating average days saved: 12 Average Days Saved
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting

    CISOs pushing for zero trust as their security strategy face several challenges including:

    • Understanding and clarifying the benefits of zero trust for the organization.
    • The inability to verify all business operations are maintaining security best practices.
    • Convincing business units to add more security controls that go against the grain of reducing friction in workflows while still demonstrating these controls support the business.

    Our Advice

    Critical Insight

    • Zero trust must benefit the business and security. Because the road to zero trust is an iterative process, IT security will need to constantly determine how different areas of zero trust will affect core business processes.
    • Zero trust reduces reliance on perimeter security. Zero trust is a strategy that solves how to move beyond the reliance on perimeter security and move controls to where the user accesses resources.
    • Not everyone can achieve zero trust, but everyone can adopt it. Zero trust will be different for every organization and may not be applicable in every control area. This means that zero trust is not a one-size-fits-all approach to IT security. Zero trust is the goal, but some organizations can only get so close to the ideal.

    Impact and Result

    Zero trust is a journey that uses multiple capabilities and requires multiple parties to contribute to an organization’s security. Use Info-Tech’s approach to:

    • Understand zero trust as a strategic platform for building your security roadmap.
    • Assess your current state and determine the benefits of adopting zero trust to help plan your roadmap.
    • Separate vendors from the hype surrounding zero trust to adopt a vendor-agnostic approach to your zero trust planning.

    Determine Your Zero Trust Readiness Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should determine your zero trust readiness, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand zero trust

    Recognize the zero trust ideal and understand the different zero trust schools of thought.

    2. Assess your zero trust readiness

    Assess and determine the benefits of zero trust and identify and evaluate vendors in the zero trust market.

    • Zero Trust Security Benefit Assessment Tool
    [infographic]