Identify and Manage Strategic Risk Impacts on Your Organization

The world is in a perpetual state of change. Organizations need to build adaptive resiliency into their strategic plans to adjust to ever-changing market dynamics.

Analyst perspective

Organizations need to build flexible resiliency into their strategic plans to be able to adjust to ever-changing market dynamics.

Like most people, organizations are poor at assessing the likelihood of risk. If the past few years have taught us anything, it is that the probability of a risk occurring is far more flexible in the formula Risk = Likelihood * Impact than we ever thought possible. The impacts of these risks have been catastrophic, and organizations need to be more adaptive in managing them to strengthen their strategic plans.

Frank Sewell,
Research Director, Vendor Management
Info-Tech Research Group

Executive Summary

Your Challenge

Moreso than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their strategic plans to accommodate risk on an unprecedented level.

A new global change will impact your organizational strategy at any given time. So, make sure your plans are flexible enough to manage the inevitable consequences.

Common Obstacles

Identifying and managing a vendor’s potential strategic impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes affect strategic plans.

Organizational leadership is often taken unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals.

Info-Tech’s Approach

Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.

Prioritize and classify your vendors with quantifiable, standardized rankings.

Prioritize focus on your high-risk vendors.

Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Impacts Tool.

Info-Tech Insight

Organizations must evolve their strategic risk assessments to be more adaptive to respond to global changes in the market. Ongoing monitoring of the market and the vendors tied to company strategies is imperative to achieving success.

Info-Tech’s multi-blueprint series on vendor risk assessment

There are many individual components of vendor risk beyond cybersecurity.

This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

Out of Scope:

This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

Strategic risk impacts

Potential losses to the organization due to risks to the strategic plan

• In this blueprint, we’ll explore strategic risks (risks to the Strategic Plans of the organization) and their impacts.
• Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to correct strategic plans.

The world is constantly changing

The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

Below are some things no one expected to happen in the last few years:

62%

of IT professionals are more concerned about being a victim of ransomware than they were a year ago.

82%

of Microsoft’s non-essential employees shifted to working from home in 2020, joining the 18% already remote.

89%

of organizations invested in web conferencing technology to facilitate collaboration.

Source: Info-Tech Tech Trends Survey 2022

Strategic risks on a global scale

Odds are at least one of these is currently affecting your strategic plans

• Vendor Acquisitions
• Global Pandemic
• Global Shortages
• Gas Prices
• Poor Vendor Performance
• Travel Bans
• War
• Natural Disasters
• Supply Chain Disruptions
• Security Incidents

Make sure you have the right people at the table to identify and plan to manage impacts.

Identify & manage strategic risks

Global Pandemic

Very few people could have predicted that a global pandemic would interrupt business on the scale experienced today. Organizations should look at their lessons learned and incorporate adaptable preparations into their strategic planning moving forward.

Vendor Acquisitions

The IT market is an ever-shifting environment. Larger companies often gobble up smaller ones to control their sectors. Incorporating plans to manage those shifts in ownership will be key to many strategic plans that depend on niche vendor solutions for success. Be sure to monitor the potentially affected markets on an ongoing cadence.

Global Shortages

Organizations need to accept that shortages will recur periodically and that preparing for them will significantly increase the success potential of long-term strategic plans. Understand what your business needs to stock for project needs and where those supplies are located, and plan how to rapidly access and distribute them as required if supply chain disruptions occur.

What to look for in vendors

Identify strategic risk impacts

• A vendor acquires many smaller, seemingly irrelevant IT products. Suddenly their revenue model includes aggressive license compliance audits.
  • Ensure that your installed software meets license compliance requirements with good asset management practices.
  • Monitor the market for such acquisitions or news of audits hitting companies.
• A vendor changes their primary business model from storage and hardware to becoming a self-proclaimed “professional services guru,” relying almost entirely on their name recognition to build their marketing.
  • Be wary of self-proclaimed experts and review their successes and failures with other organizations before adopting them into your business strategy.
  • Review the backgrounds their “experts” have and make sure they have the industry and technical skill sets to perform the services to the required level.

Not preparing for your growth can delay your goals

Why can’t I get a new laptop?

For example:

• An IT professional services organization plans to take advantage of the growing work-from-home trend to expand its staff by 30% over the coming year.
• Logically, this should include a review of the necessary tasks involved, including onboarding.
  • Suppose the company does not order enough equipment in preparation to cover the new staff plus routine replacement. In that case, this will delay the output of the new team members immeasurably as they wait for their company equipment and will delay existing staff whose equipment breaks, preventing them from getting back to work efficiently.

Sometimes an organization has the right mindset to take advantage of the changes in the market but can fail to plan for the particulars.

When your strategic plan changes, you need to revisit all the steps in the processes to ensure a successful outcome.

Strategic risks

Poor or uninformed business decisions can lead to organizational strategic failures

• Supply chain disruptions and global shortages
  • Geopolitical disruptions and natural disasters have caused unprecedented interruptions to business. Incorporate forecasting of product and ongoing business continuity planning into your strategic plans to adapt as events unfold.
• Poor vendor performance
  • Consider the impact of a vendor that fails to perform midway through the implementation. Organizations need to be able to manage the impact of replacing that vendor and cutting their losses rather than continuing to throw good money away after bad performance.
• Vendor acquisitions
  • A lot of acquisition is going on in the market today. Large companies are buying competitors and either imposing new terms on customers or removing the competing products from the market. Prepare options for any strategy tied to a niche product.

It is important to identify potential risks to strategic plans to manage the risk and be agile enough in planning to adapt to the changing environments.

Info-Tech Insight
Few organizations are good at identifying risks to their strategic plan. As a result, almost none realistically plan to monitor, manage, and adapt their strategies to those risks.

Prepare your strategic risk management for success

Due diligence will enable successful outcomes

1. Obtain top-level buy-in; it is critical to success.
2. Build enterprise risk management (ERM) through incremental improvement.
3. Focus initial efforts on the “big wins” to prove the process works.
4. Use existing resources.
5. Build on any risk management activities that already exist in the organization.
6. Socialize ERM throughout the organization to gain additional buy‑in.
7. Normalize the process long term with ongoing updates and continuing education for the organization.

(Adapted from COSO)

How to assess strategic risk

1. Review Organizational Strategy
   Understand the organizational strategy to prepare for the “What If” game exercise.
2. Identify & Understand Potential Strategic Risks
   Play the “What If” game with the right people at the table.
3. Create a Risk Profile Packet for Leadership
   Pull all the information together in a presentation document.
4. Validate the Risks
   Work with leadership to ensure that the proposed risks are in line with their thoughts.
5. Plan to Manage the Risks
   Lower the overall risk potential by putting mitigations in place.
6. Communicate the Plan
   It is important not only to have a plan but also to socialize it in the organization for awareness.
7. Enact the Plan
   Once the plan is finalized and socialized, put it in place with continued monitoring for success.
   

Insight summary

Insight 1

Organizations build portions of their strategies around chosen vendors and should protect those plans against the risks of unforeseen acquisitions in the market.
Is your vendor solvent? Does it have enough staff to accommodate your needs? Has its long-term planning been affected by changes in the market? Is it unique in its space?

Insight 2

Organizations’ strategic plans need to be adaptable to avoid vendors’ negative actions causing an expedited shift in priorities.
For example, Philip's recall of ventilators impacted its products and the availability of its competitor’s products as demand overwhelmed the market.

Insight 3

Organizations need to become better at risk assessment and actively manage the identified risks to their strategic plans.
Few organizations are good at identifying risks to their strategic plan. As a result, almost none realistically plan to monitor, manage, and adapt their strategies to those risks.

Strategic risk impacts are often unanticipated, causing unforeseen downstream effects. Anticipating the potential changes in the global IT market and continuously monitoring vendors’ risk levels can help organizations modify their strategic alignment with the new norms.

Identifying strategic risk

Who should be included in the discussion

• While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
• Getting input from operational experts at your organization will enhance the long-term potential for success of your strategies.
• Involving those who directly manage vendors and understand the market will aid operational experts in determining the forward path for relationships with your current vendors and identifying new emerging potential strategic partners.

Review your strategic plans for new risks and evolving likelihood on a regular basis.

Keep in mind Risk = Likelihood x Impact (R=L*I).

Impact (I) tends to remain the same, while Likelihood (L) is a very flexible variable.

See the blueprint Build an IT Risk Management Program

Managing strategic risk impacts

What can we realistically do about the risks?

• Review business continuity plans and disaster recovery testing.
• Institute proper contract lifecycle management.
• Re-evaluate corporate policies frequently.
• Develop IT governance and change control.
• Ensure strategic alignment in contracts.
• Introduce continual risk assessment to monitor the relevant vendor markets.
  • Regularly review your strategic plans for new risks and evolving likelihood.
  • Risk = Likelihood x Impact (R=L*I)
    • Impact (I) tends to remain the same and be well understood, while Likelihood (L) turns out to be highly variable.
• Be adaptable and allow for innovations that arise from the current needs.
  • Capture lessons learned from prior incidents to improve over time, and adjust your strategy based on the lessons.

Organizations need to be reviewing their strategic risk plans considering the likelihood of incidents in the global market.

Pandemics, extreme weather, and wars that affect global supply chains are a current reality, not unlikely scenarios.

Ongoing Improvement

Incorporating lessons learned

• Over time, despite everyone’s best observations and plans, incidents will catch us off guard.
• When it happens, follow your incident response plans and act accordingly.
• An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
• Use the lessons learned document to devise, incorporate, and enact a better risk management process.

Sometimes disasters occur despite our best plans to manage them.

When this happens, it is important to document the lessons learned and improve our plans going forward.

The “what if” game

1-3 hours

Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

1. Break into smaller groups (or if too small, continue as a single group).
2. Use the Strategic Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
3. Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

Download the Strategic Risk Impact Tool

Case Study

Airline Industry Strategic Adaptation

Industry: Airline

Impact categories: Pandemic, Lockdowns, Travel Bans, Increased Fuel Prices

• In 2019 the airline industry yielded record profits of $35.5 billion.
• In 2020 the pandemic devastated the industry with losses around $371 billion.
• The industry leaders engaged experts to conduct a study on how the pandemic impacted them and propose measures to ensure the survival of their industry in the future after the pandemic.
• They determined that “[p]recise decision-making based on data analytics is essential and crucial for an effective Covid-19 airline recovery plan.”

Results

The pandemic prompted systemic change to the overall strategic planning of the airline industry.

Summary

Be vigilant and adaptable to change

• Organizations need to learn how to assess the likelihood of potential risks in the changing global world.
• Those organizations that incorporate adaptive risk management processes can prepare their strategic plans for greater success.
• Bring the right people to the table to outline potential risks in the market.
• Socialize the risk management process throughout the organization to heighten awareness and enable employees to help protect the strategic plan.
• Incorporate lessons learned from incidents into your risk management process to build better plans for future issues.

Organizations must evolve their strategic risk assessments to be more adaptive to respond to global changes in the market.

Ongoing monitoring of the market and the vendors tied to company strategies is imperative to achieving success.

Related Info-Tech Research

Identify and Manage Financial Risk Impacts on Your Organization

• Vendor management practices educate organizations on the different potential financial impacts that vendors may incur and suggest systems to help manage them.
• Prioritize and classify your vendors with quantifiable, standardized rankings.
• Prioritize focus on your high-risk vendors.
• Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

Identify and Reduce Agile Contract Risk

• Customer maturity levels with Agile are low, with 67% of organizations using Agile for less than five years.
• Customer competency levels with Agile are also low, with 84% of organizations stating they are below a high level of competency.
• Contract disputes are the number one or two types of disputes faced by organizations across all industries.

Build an IT Risk Management Program

• Transform your ad hoc IT risk management processes into a formalized, ongoing program, and increase risk management success.
• Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
• Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks most critical to the organization.

Bibliography

Olaganathan, Rajee. “Impact of COVID-19 on airline industry and strategic plan for its recovery with special reference to data analytics technology.” Global Journal of Engineering and Technology Advances, vol 7, no 1, 2021, pp. 033-046.

Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, 23 Aug. 2012.

Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.

Research Contributors and Experts

• Frank Sewell
  Research Director, Info-Tech Research Group
• Steven Jeffery
  Principal Research Director, Info-Tech Research Group
• Scott Bickley
  Practice Lead, Info-Tech Research Group
• Donna Glidden
  Research Director, Info-Tech Research Group
• Phil Bode
  Principal Research Director, Info-Tech Research Group
• David Espinosa
  Senior Director, Executive Services, Info-Tech Research Group
• Rick Pittman
  Vice President, Research, Info-Tech Research Group
• Patrick Philpot
  CISSP
• Gaylon Stockman
  Vice President, Information Security
• Jennifer Smith
  Senior Director

Design an Enterprise Architecture Strategy

Develop a strategy that fits the organization’s maturity and remains adaptable to unforeseen future changes.

EXECUTIVE BRIEF

Build a right-size enterprise architecture strategy

Enterprise Architecture – Thought Model

Enterprise Architecture Capabilities

Analyst Perspective

Enterprise architecture (EA) needs to be right-sized for the needs of the organization.

Enterprise architecture is NOT a one-size-fits-all endeavor. It needs to be right-sized to the needs of the organization.

Enterprise architects are boots on the ground and part of the solution; in addition, they need to have a good understanding of the corporate strategy, vision, and goals and have a vested interest on the optimization of the outcomes for the enterprise. They also need to anticipate the moves ahead, to be able to determine future trends and how they will impact the enterprise.

Milena Litoiu
Principal/Senior Director, Enterprise Architecture
Info-Tech Research Group

Analyst Perspective

EA provides business options based on a deep understanding of the organization.

“Enterprise architects need to think about and consider different areas of expertise when formulating potential business options. By understanding the context, the puzzle pieces can combine to create a positive business outcome that aligns with the organization’s strategies. Sometimes there will be missing pieces; leveraging what you know to create an outline of the pieces and collaborating with others can provide a general direction.”

Jean Bujold
Senior Workshop Delivery Director
Info-Tech Research Group

“The role of enterprise architecture is to eliminate misalignment between the business and IT and create value for the organization.”

Reddy Doddipalli
Senior Workshop Director, Research
Info-Tech Research Group

“Every transformation journey is an opportunity to learn: ‘Tell me and I forget. Teach me and I remember. Involve me and I learn.’ Benjamin Franklin.”

Graham Smith
Senior Lead Enterprise Architect and Independent Consultant

Develop an enterprise architecture strategy that:

• Helps the organization make decisions that are hard to change in a complex environment.
• Fits the current organization’s maturity and remains flexible and adaptable to unforeseen future changes.

Executive Summary

Your Challenge

We need to make decisions today for an unknown future. Decisions are influenced by:

• Changes in the environment you operate in.
• Complexity of both the business and IT landscapes.
• IT’s difficulty in keeping up with business demands and remaining agile.
• Program/project delivery pressure and long-term planning needs.
• Other internal and external factors affecting your enterprise.

Common Obstacles

Decisions are often made:

• Without a clear understanding of the business goals.
• Without a holistic understanding; sometimes in conflict with one another.
• That hinder the continuity of the organization.
• That prevent value optimization at the enterprise level.

The more complex an organization, the more players involved, the more difficult it is to overcome these obstacles.

Info-Tech’s Approach

• Is a holistic, top-down approach, from the business goals all the way to implementation.
• Has EA act as the canary in the coal mine. EA will identify and mitigate risks in the organization.
• Enables EA to provide an essential service rather than be an isolated kingdom or an ivory tower.
• Acknowledges that EA is a balancing act among competing demands.
• Makes decisions using guiding principles and guardrails, to create a flexible architecture that can evolve and expand, enabling enterprise agility.

Info-Tech Insight

There is no “right architecture” for organizations of all sizes, maturities, and cultural contexts. The value of enterprise architecture can only be measured against the business goals of a single organization. Enterprise architecture needs to be right-sized for your organization.

Info-Tech insight summary on arch. agility

Continuous innovation is of paramount importance in achieving and maintaining competitive advantage in the marketplace.

From the best industry experts

“The trick to getting value from enterprise architecture is to commit to the long haul.”

Jeanne W. Ross, MIT CISR
Co-author of Enterprise Architecture as Strategy: Creating a Foundation for Business Execution,
Harvard Business Press, 2006.

Typical EA maturity stages

Enterprise Architecture maturity

Innovator – Transforms the Business Reliable Technology Innovation Business Partner – Expands the Business Effective Use of Enterprise Architecture in all Business Projects, Enterprise Architecture Is Strategically Engaged Trusted Operator – Optimizes the Business Enterprise Architecture Provides Business, Data, Application & Technology Architectures for All IT Projects Firefighter – Supports the Business Reliable Architecture for Some Practices/Projects Unstable – Struggles to Support Inability to Provide Reliable Architectures

Info-Tech Insight

There is no “absolute maturity” for organizations of all sizes, maturities, and cultural contexts. The maturity of enterprise architecture can only be measured against the business goals of the organization.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com1-888-670-8889

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 8 to 12 calls over the course of 4 to 6 months.

While variations depend on the maturity of the organization as well as its aspirations, these are some typical steps:

Phase 1

• Call #1: Explore the role of EA in your organization.

Phase 2

• Call #2: Identify and prioritize stakeholders.
• Call #3: Use a PESTLE analysis to identify business and technology needs.
• Call #4: Prepare for stakeholder interviews.
• Call #5: Discuss your EA value proposition.

Phase 3

• Call #5: Understand the importance of EA fundamentals.
• Call #6: Define the relevant EA services and their contributions to the organization.
• Call #7: Measure EA effectiveness.

Phase 4

• Call #8: Build your EA roadmap and communication plan.
• Call #9: Discuss the EA role relative to agility.
• Call #10: Summarize results and plan next steps.

Design an Enterprise Architecture Strategy

Phase 1

Explore the Role of Enterprise Architecture

This phase will walk you through the following activities:

Define the role of the group and different roles inside the enterprise architecture competency.

This phase involves the following participants:

• CIO
• IT Leaders
• Business Leaders

Enterprise architecture optimizes the outcomes of the entire organization

Corporate Strategy –› Enterprise Architecture Strategy

Info-Tech Insight

Enterprise architecture needs to have input from the corporate strategy of the organization. Similarly, EA governance needs to be informed by corporate governance. If this is not the case, it is like planning and governing with your eyes closed.

Existing EA functions vary in the value they achieve due to their level of maturity

Benefits of enterprise architecture

1. Focuses on business outcomes (business centricity)
2. Provides traceability of architectural decisions to/from business goals
3. Provides ways to measure results
4. Provides consistency across different lines of business: establishes a common vocabulary, reducing inconsistencies
5. Reduces duplications, creating additional efficiencies at the enterprise level
6. Presents an actionable migration to the strategy/vision, through short-term milestones/steps

Benefits of enterprise architecture continued

7. Done right, increases agility
8. Done right, reduces costs
9. Done right, mitigates risks
10. Done right, stimulates innovation
11. Done right, helps achieve the stated business goals (e.g. customer satisfaction) and improves the enterprise agility.
12. Done right, enhances competitive advantage of the enterprise

Qualities of a well-established and practical enterprise architecture

1. Objective
2. Impartial
3. Credible
4. Practical
5. Measurable
(Source: University of Toronto, 2021)

Role of the enterprise architecture

• Primarily to set up guardrails for the enterprise, so Agile teams work independently in a safe, ready-to-integrate environment
• Establish strategy
• Establish priorities
• Continuously innovate
• Establish enterprise standards and enterprise guardrails to guide Solution/Domain/Portfolio Architectures
• Align with and be informed by the organization’s direction

Members of the Architecture Board:

• Chief (Business) Strategist
• Lead Enterprise Architect
• Business SME from each major domain
• IT SME from each major domain
• Operational & Infrastructure SME
• Security & Risk Officer
• Process Management
• Other relevant stakeholders

For enterprise architecture to contribute, EA must address the organizational vision and goals

Info-Tech Insight

External forces can affect the organization as a whole; they need to be included as part of the holistic approach for enterprise architecture.

How does EA provide value?

Business and Technology Drivers – A set of statements created from business and technology needs. Gathered from information sources, it communicates improvements needed.

• Vision, Aspirations, Long-Term Goals – Vision, aspirations, long term goals
  
  
  • EA Contributions – EA contributions that will alleviate obstructions. Removing the obstructions will allow EA to help satisfy business and technology needs.
    
    
    • Promise of Value – A statement that depicts a concrete benefit that the EA practice can provide for the organization in response to business and technology drivers.

Info-Tech Insight

Enterprise architecture needs to create and be part of a culture where decisions are made through collaboration while focusing on enterprise-wide efficiencies (e.g. reduced duplication, reusability, enterprise-wide cost minimization, overall security, comprehensive risk mitigation, and any other cross-cutting concerns) to optimize corporate business goals.

The EA function scope is influenced by the EA value proposition and previously developed EA fundamentals

Establish the EA function scope by using the EA value proposition and EA fundamentals that have already been developed. After defining the EA function scope, refer back to these statements to ensure it accurately reflects the EA value proposition and EA fundamentals.

EA team characteristics

Create the optimal EA strategy by including personnel who understand a broad set of topics in the organization

The team assembled to create the EA strategy will be defined as the “EA strategy creation team” in this blueprint.

• Someone who has been in the organization for a long time and has built strong relationships with key stakeholders. This individual can exert influence and become the EA strategy sponsor.
• An individual who understands how the different technology components in the organization support its business operations.
• Someone in the organization who can communicate IT concepts to business managers in a language the business understands.
• An individual with a strategy background or perspective on the organization. This individual will understand where the organization is headed.
• Any individuals who feel an acute pain as a result of poorly made investment decisions. They can be champions of EA strategy in their respective functions.

EA skills and competencies

Apart from business know-how, the EA team should have the following skills

• Architectural thinking
• Analytical
• Trusted, credible
• Can handle complexity
• Can change perspectives
• Can learn fast (business and technology)
• Independent and steadfast
• Not afraid to go against the stream
• Able to understand problems of others with empathy
• Able to estimate scaling on design decisions such as model patterns
• Intrinsic capability to identify where relevant details are
• Able to identify root causes quickly
• Able to communicate complex issues clearly
• Able to negotiate and come up with acceptable solutions
• Can model well
• Able to change perspectives (from business to implementation and operational perspectives).

Use of enterprise architecture methodologies

Balance EA methodologies with Agile approaches

Using an enterprise architecture methodology is a good starting point to achieving a common understanding of what that is. Often, organizations agree to "tailor" methodologies to their needs.

The use of lean/Agile approaches will increase efficiency beyond traditional methodologies.

Use of EA methodologies vs. Agile methods

When to use what?

• Use an existing methodology to structure your thinking and establish a common vocabulary to communicate basic concepts, processes, and approaches.
• Customize the methodology to your needs; make it as lean as possible.
• Execute in an Agile way, but keep in mind the thoughtful checks recommended by your end-to-end methodology.
• Clarify goals.
• Have good measures and metrics in place.
• Continuously monitor progress, fit for purpose, etc.
• Highlight risks, roadblocks, etc.
• Get support.
• Communicate vision, goals, key decisions, etc.
• Iterate.

Business strategy first, EA strategy second, and EA operating model third

High-level perspective

Creating an effective practice involves many moving parts.

(Source: The Center for Organizational Design)

• Environment. Influences that are external to the organization, such as customer perceptions, changing needs, and changes in technology, and the organization’s ability to adjust to them.
• Strategy. The business strategy defines how the organization adds value and acts as the rudder to direct the organization. Organizational strategy defines the character of the organization, what it wants to be, its values, its vision, its mission, etc.
• Core Process. The flow of work through the organization.
• Structure. How people are organized around business processes. Includes reporting structures, boundaries, roles, and responsibilities. The structure should assist the organization with achieving its goals rather than hinder its performance.
• Systems. Interrelated sets of tasks or activities that help organize and coordinate work.
• Culture. The personality of the organization: its leadership style, attitudes, habits, and management practices. Culture measures how well philosophy is translated into practice.
• Results. Measurement of how well the organization achieved its goals.
• Leadership. Brings the organization together by providing vision and strategy; designing, monitoring, and nurturing the culture; and fostering agility.

The answer to the strategic planning entity dilemma is enterprise architecture

Enterprise architecture is a discipline that defines the structure and operation of an organization. The intent of enterprise architecture is to determine how an organization can most effectively achieve its current and future objectives.

EA spans across all the domains of architecture

Business architecture is the cornerstone that sets the foundation for all other architectural domains: security, data, application, and technology.

“An enterprise architecture practice is both difficult and costly to set up. It is normally built around a process of peer review and involves the time and talent of the strategic technical leadership of an enterprise.” (The Open Group Architecture Framework, 2018)

Enterprise architecture deployment continuum

Info-Tech Insight

The primary question during the design of the EA operating model is how to integrate the EA function with the rest of the business.

If the EA practice functions on its own, you end up with ivory tower syndrome and a dictatorship.

If you totally embed the EA function within business units it will become siloed with no enterprise value.

Organizations need to balance consistency at the enterprise level with creativity from the grass roots.

Enterprise vs. Program/Portfolio/Domain

Info-Tech Insight

Decisions at the enterprise level apply across multiple programs/portfolios/solutions and represent the guardrails set for all to play within.

Decide on the degree of centralization

Larger organizations with multiple domains/divisions or business units will need to decide which architecture functions will be centralized and which, if any, will be decentralized as they plan to scope their EA program. What are the core functions to be centralized for the EA to deliver the greatest benefits?

Typically, we see a need to have a centralized repository of reusable assets and standards across the organization, while other approaches/standards can operate locally.

Centralization

• Allows for more strategic planning
• Visibility into standards and assets across the organization promotes rationalization and cost savings
• Ensures enterprise-wide assets are used
• More strategic sourcing of vendors and resellers
• Can centrally negotiate pricing for better deals
• Easier to manage risk and prepare for audits
• Greater coordination of resources
• Derives benefits from enterprise decisions, e.g. integration…

Decentralization

• May allow for more innovation
• May be easier to demonstrate local compliance if the organization is geographically decentralized
• May be easier to procure software if offices are in different countries
• Deployment and installation of software on user devices may be easier

EA strategy

What is the role of enterprise architecture vis-à-vis business goals?

• What needs to be done?
• Who needs to be involved?
• When?
• Where?
• Why?
• How?

Top-down approach starting from the goals of the organization

What the Business Sees...
• Business Goals
  • Value Streams
    What the CxO Sees...
    • Capabilities
      What the App Managers See...
      • Processes
        • Applications
          What the Program Managers See...
          • Programs/Projects

Info-Tech Insight

Being able to answer the deceptively simple question “How am I doing?” requires traceability to and from the business goals to be achieved all the way to applications, to infrastructure, and ultimately, to the funded initiatives (portfolios, programs, projects, etc.).

Measure EA strategy effectiveness by tracking the benefits it provides to the corporate business goals

The success of the EA function spans across three main dimensions:

1. The delivery of EA-enabled business outcomes that are most important to the enterprise.
2. The alignment between the business and the technology from a planning perspective.
3. Improvements in the corporate business goals due to EA contributions (standardization, rationalization, reuse, etc.).

Info-Tech Insight

Organizations must create clear and smart KPIs (key performance indicators) across the board.

From corporate strategy to enterprise architecture

Info-Tech Insight

In the absence of a corporate strategy, enterprise architecture is missing its North Star.

However, enterprise architects can partner with the business strategists to build the needed vision.

Traceability to and from business corporate business goals to EA contributions (sample)

Enterprise architecture journey

Agile architecture principles

Agile architecture principles:

• Fast learning cycle
• Explore alternatives
• Create environment for decentralized ideation and innovation

According to the Scaled Agile Framework, three of the most applicable principles for the architectural professions refer to the following:

1. "Fast learning cycle" refers to learning cycles that allow for quick reiterations as well as the opportunity to fail fast to learn fast.
2. "Explore alternatives" refers to the exploration phase and also to the need to make tough decisions and balance competing demands.
3. "Create environment for decentralized ideation and innovation" ensures that no one has a monopoly on innovation. Moreover, EA needs to invite ideas from various stakeholders (from the business to operations as well as implementers, etc.).

Architecture roles in lean enterprises

Typical architecture roles in modern/Agile lean enterprises

• System Architect
• Solution Architect
• Enterprise Architect

Depth vs. strategy focus

Typical architect roles

Architecture roles continued

Common Domains Business Architecture Information Architecture Application Architecture Technical Architecture Integration Architecture Security Architecture Others

Info-Tech Insight

All architects are boots on the ground and play in the solutioning space. What differs is their decisions’ impact (the enterprise architect’s decisions affects all domains and solutions).

SAFe definitions of the Enterprise/Solution and System Architect roles can be found here.

The role of the Enterprise Architect is detailed here.

Collaboration models across the enterprise

(Adapted from Disciplined Agile)

There are both formal and informal collaborations between enterprise architects and solution architects across the enterprise.

Info-Tech Insight

Enterprise architects should collaborate with solutions architects to create the best solutions at the enterprise level and to provide guidance across the board.

Architect roles in SAFe

According to Scale Agile Framework 5 for Lean Enterprises:

• The system architect participates in the Essential SAFe
• Solution architects and system architects participate in Large Solution
• The enterprise architect participates in the Portfolio SAFe
• Enterprise, solution, and system architects are all involved in Full SAFe

Please check the SAFe Scaled Agile site for detailed information on the approach.

Architect roles and their participation in Agile events (see likely events and a typical calendar)

Info-Tech Insight

A clear commitment for architects to achieve and support agility is needed. Architects should not be in an ivory tower; they should be hands on and engaged in all relevant Agile ceremonies, like the pre- and post-program increment (PI) planning, etc.

Architect syncs are also required to ensure the needed collaboration.

Architect participation in Agile ceremonies, according to SAFe:

• Agile Architecture in SAFe
• Pre- and Post-PI Planning

Architecture runway (at scale)

Info-Tech Insight

Architecting for scale, modularity, and extensibility is key for the architecture to adapt to changing conditions and evolve.

Proactively address NFRs; architect for performance and security.

Continuously refine the solution intent.

For large solutions, longer foundational architectural runways are needed.

Having an intentional continuous improvement/continuous development (CI/CD) pipeline to continuously release, test, and monitor is key to evolving large and complex systems.

Parallel continuous exploration/integration/deployment

Info-Tech Insight

Architects need to help make some fundamental decisions, e.g. help define the environment that best supports continuous innovation or exploration and continuous integration, deployment, and delivery.

Typical strategic enterprise architecture involvement

Enterprise Architect —DRIVES–› Enterprise Architecture Strategy

Enterprise Architecture Strategy

• Application Strategy
• Business Strategy
• Data Strategy
• Implementation Strategy
• Infrastructure Strategy
• Inter-domain Collaboration
• Integration Strategy
• Operations Strategy
• Security Strategy
(Adapted from Scaled Agile)

The EA statement relative to agility

The enterprise architecture statement relative to agility specifies the architects’ responsibilities as well as the Agile protocols they will participate in. This statement will guide every architect’s participation in planning meetings, pre- and post-PI, various syncs, etc. Use simple and concise terminology; speak loudly and clearly.

Strong EA statement relative to agility has the following characteristics:

• Describes what different architect roles do to achieve the vision of the organization
• In an agile way
• Compelling
• Easy to grasp
• Sharply focused
• Specific
• Concise

Sample EA statement relative to agility

• Create strategies that provide guardrails for the organization, provide standards, reusable assets, accelerators, and other decisions at the enterprise level that support agility.
• Participate in pre-PI and post-PI planning activities, architect syncs, etc.

A clear statement can include additional details surrounding the enterprise architect’s role relative to agility

Below is a sample of connecting keywords to form an enterprise architect role statement, relative to agility.

Optimize, transform, and innovate by defining and implementing the [Company]’s target enterprise architecture in an agile way.

Optimize – We collaborate with the business to analyze and optimize business capabilities and business processes to enable the agile and efficient attainment of [Company name] business objectives.

Transform – We support IT-enabled business transformation programs by building and maintaining a shared vision of the future-state enterprise and consistently communicating it to stakeholders.

Innovate – We identify and develop new and creative opportunities for IT to enable the business. We communicate the art of the possible to the business.

Defining and implementing – We engage with project teams early and guide solution design and selection to ensure alignment to the target-state enterprise architecture and provide guidance and accelerators.

Target enterprise structure in an agile way – We analyze business needs and priorities and assess the current state of the enterprise. We build and maintain the target enterprise architecture blueprints that define:

• Business capabilities and processes (business architecture)
• Data, application, and technology assets that enable business capabilities and processes (technology architecture)
• Architecture principles
• Standards and reusable assets
• Continuous exploration, integration, and deployment

Traditional vs. Agile approaches

Info-Tech Insight

The role of the architecture in Lean (Agile) approaches is to set up the needed guardrails and ensure a safe environment where everyone can be effective and creative.

Design an Enterprise Architecture Strategy

Phase 2

Create the EA Value Proposition

This phase will walk you through the following activities:

• Identify and prioritize EA stakeholders.
• Create business and technology drivers from stakeholder information.
• Identify business pains and technology drivers.
• Define EA contributions to alleviate the pains.
• Create promises of value to fully articulate the value proposition.

This phase involves the following participants:

• CIO
• IT Leaders
• Business Leaders

Step 2.1

Define the Business and Technology Drivers

Activities

• 2.1.1 Use a stakeholder power map to identify and prioritize EA stakeholders
• 2.1.2 Conduct a PESTLE analysis
• 2.1.3 Review strategic planning documents
• 2.1.4 Conduct EA stakeholder interviews

This step will walk you through the following activities:

• Learn the five-step process to create an EA value proposition.
• Uncover business and technology needs from stakeholders.

This step involves the following participants:

• CIO
• IT Leaders
• Business Leaders

Outcomes of this step

An understanding of your organization’s EA needs.

Create the Value Proposition

Value proposition is an important step in the creation of the EA strategy

Creating an EA value proposition should be the first step to realizing a healthy EA function. The EA value proposition demonstrates to organizational stakeholders the importance of EA in helping to realize their needs.

Five steps towards the successful articulation of EA value proposition:

1. Identify and prioritize stakeholders. The EA function must know to whom to communicate the value proposition.
2. Construct business and technology drivers. Drivers are derived from the needs of the business and IT. Needs come from the analysis of external factors, strategic documents, and interviewing stakeholders. Helping stakeholders and the organization realize their needs demonstrates the value of EA.
3. Discover pains that prevent driver realization. There are always challenges that obstruct drivers of the organization. Find out what they are to get closer to showing the value of EA.
4. Brainstorm EA contributions. Pains that obstruct drivers have now been identified. To demonstrate EA’s value, think about how EA can help to alleviate those pains. Create statements that show how EA’s contribution will be able to overcome the pain to show the value of EA.
5. Derive promises of value. Complete the articulation of value for the EA value proposition by stating how realizing the business or technology will provide in terms of value for the organization. Speak with the stakeholders to discover the value that can be achieved.

Info-Tech Insight

EA can deliver many benefits to an organization. To increase the likelihood of success, each EA group needs to commit to delivering value to their organization based on the current operating environment and the desired direction of the enterprise. An EA value proposition will articulate the group’s promises of value to the enterprise.

The foundation of an optimal EA value proposition is laid by defining the right stakeholders

All stakeholders need to know how the EA function can help them. Provide the stakeholders with an understanding of the EA strategy’s impact on the business by involving them.

A stakeholder map can be a powerful tool to help identify and prioritize stakeholders. A stakeholder map is a visual sketch of how various stakeholders interact with your organization, with each other, and with external audience segments.

“Stakeholder management is critical to the success of every project in every organization I have ever worked with. By engaging the right people in the right way in your project, you can make a big difference to its success…and to your career.” (Rachel Thompson, MindTools)

2.1.1 Use a stakeholder power map to identify and prioritize EA stakeholders

Input: Expertise from the EA strategy creation team

Output: An identified and prioritized set of stakeholders for the EA function to target

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

1. A stakeholder power map helps to visualize the importance of various stakeholders and their concerns so you can prioritize your time according to the most powerful and most impacted stakeholders.
2. Evaluate each stakeholder in terms of power, Involvement, impact, and support.
   • Power: How much influence does the stakeholder have? Enough to drive the project forward or into the ground?
   • Involvement: How interested is the stakeholder? How involved is the stakeholder in the project already?
   • Impact: To what degree will the stakeholder be impacted? Will this significantly change how they do their job?
   • Support: Is the stakeholder a supporter of the project? Neutral? A resistor?
3. Map each stakeholder to an area on the Power Map Template.
4. Ask yourself if the power map looks accurate. Is there someone who has no involvement in EA strategy development but should?
5. Some stakeholders may have influence over others. For example, a COO who highly values the opinion of the Director of Operations would be influenced by that director. Draw an arrow from one stakeholder to another to signify this relationship.

Download the Stakeholder Power Map Template for more detailed instructions on completing this activity.

Each stakeholder will have a set of needs that will influence the final EA value proposition

All stakeholders will have a set of needs they would like to address. Take those needs and translate them into business and technology drivers. Drivers help clearly articulate to stakeholders, and the EA function, the stakeholder needs to be addressed.

Gather information from stakeholders to begin the process of distilling business and technology drivers

Review information sources, then analyze them to derive business and technology drivers. Information sources are not targeted towards EA stakeholders. Analyze the information sources to create drivers that are relevant to EA stakeholders.

The PESTLE analysis will help you uncover external factors impacting the organization

PESTLE examines six perspectives for external factors that may impact business and technology needs. Below are prompting questions to facilitate a PESTLE analysis working session.

2.1.2 Conduct a PESTLE analysis

2 hours

Input: Expertise from EA strategy creation team

Output: Identified set of business and technology needs from PESTLE

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

1. Begin conducting the PESTLE analysis by breaking the participants into groups. Divide the six different perspectives amongst the groups.
2. Ask each group to begin to derive business and technology needs from their assigned perspectives. Use some of the areas noted below along with the questions on the previous slide to derive business and technology needs.
   • Political: Examine taxes, environmental regulations, and zoning restrictions.
   • Economic: Examine interest rates, inflation rate, exchange rates, the financial and stock markets, and the job market.
   • Social: Examine gender, race, age, income, disabilities, educational attainment, employment status, and religion.
   • Technological: Examine servers, computers, networks, software, database technologies, wireless capabilities, and availability of Software as a Service.
   • Legal: Examine trade laws, labor laws, environmental laws, and privacy laws.
   • Environmental: Examine green initiatives, ethical issues, weather patterns, and pollution.
3. Ask each group to take into account the following questions when deriving business and technology needs:
   • Will business components require any changes to address the factor?
   • Will information technology components changes be needed to address any factor?
4. Have each team record its findings. Have each team present its list and have remaining teams give feedback and additional suggestions. Record any changes in this step.

Download the PESTLE Analysis Template to assist with completing this activity.

Strategic planning documents can provide information regarding the direction of the organization

Some organizations (and business units) create an authoritative strategy document. These documents contain corporate aspirations and outline initiatives, reorganizations, and shifts in strategy. From these documents, a set of business and technology needs can be generated.

2.1.3 Review strategic planning documents

2 hours

Input: Strategic documents in the organization

Output: Identified set of business and technology needs from documents

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Begin the identification process of business and technology needs from strategic documents with the following steps:

1. Work with the EA strategy creation team to identify the strategic documents within the organization. Look for documents with any of the following content:
   • Corporate strategy document
   • Business unit strategy documents
   • Annual general reports
2. Gather the strategic documents into one place and call a meeting with the EA strategy creation team to identify the business and technology needs in those documents.
3. Pick one document and look through its contents. Look for future-looking words such as:
   • We will be…
   • We are planning to…
   • We will need…
4. Consider those portions of the document with future-looking words and ask the following:
   • Will business components require any changes to address these objectives?
   • Will information technology components changes be needed to address these objectives?
5. Record the business and technology needs identified in step 4. As well, record any questions you may have regarding the document contents for stakeholders to validate later.
6. Move to the next document once complete. Complete steps 3-5 for the remaining strategy documents.

Stakeholder interviews will help you collect primary data and will shed light on stakeholder priorities and challenges

In this interview process, you will be asking EA stakeholders questions that uncover their business and technology needs. You will also be able to ask follow-up questions to get a better understanding of abstract or complex concepts from the strategy document review and PESTLE analysis.

EA Stakeholders:

• Stakeholders may not think of their business and technology needs. But stakeholders will often explicitly state their objectives and initiatives.
• Objectives often result in risks, opportunities, and annoyances:
  • Risks: Potential damage associated with pursuing an objective or initiative.
  • Opportunities: Potential gains that could be leveraged when capturing objectives and initiatives.
  • Annoyances: Roadblocks that could hinder the pursuit of objectives and initiatives.
• Ask stakeholders questions on these areas to discern their business and technology needs.

Risks + Opportunities + Annoyances –› Business and Technology Needs

2.1.4 Conduct EA stakeholder interviews

4-8 hours

Input: Expertise from the EA stakeholders

Output: Business and technology needs for EA stakeholders

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team, Identified EA stakeholders

1. Schedule an interview with each of the stakeholders that were identified as key stakeholders in the Stakeholder Power Map.
2. Meet with the key EA stakeholders and start business and technology needs gathering. Schedule each identified key stakeholder for an interview.
3. When a stakeholder arrives for their interview, ask the following questions and record the answers to help uncover needs. Be sure to record which stakeholder answered the question. Further, record any future stakeholders that agree.
   • What are the current strengths of your organization?
   • What are the current weaknesses of your organization?
   • What is the number 1 risk you need to prevent?
   • What is the number 1 opportunity you want to capitalize on?
   • What is the number 1 annoying pet peeve you want to remove?
   • How would you prioritize these risks, opportunities, and annoyances?
4. Recorded answer example: “We can’t see what the other departments are doing; when we spend a lot of money to invest in something, we later find out the capability is already within the company.”
5. After completing each interview, verify with each stakeholder that you have captured their business and technology needs. Continue the interview process until all identified key stakeholders have been interviewed.
6. Capture all inputs into a SWOT (strengths, weaknesses, opportunities, and threats) format.

Step 2.2

Define Your Value Proposition

Activities

• 2.2.1 Create a set of business and technology drivers from business and technology needs
• 2.2.2 Identify the pains associated with the business and technology drivers
• 2.2.3 Identify the EA contributions that can address the pains
• 2.2.4 Create promises of value to shape the EA value proposition

This step will walk you through the following activities:

• Use business and technology drivers to determine EA’s role in your organization.

This step involves the following participants:

• CIO
• IT Leaders
• Business Leaders

Outcomes of this step

A value proposition document that ties the value of the EA function to stakeholder needs.

Create the EA Value Proposition

Synthesize the collected data into business and technology drivers

There are several key attributes that a driver should have. Driver Key Attributes A succinct statement. Begins with “action words” to communicate a call to action (e.g. Support, Help, Enable). Written in a language understood by all parties involved. Communicates a need for improvement or prevention.

“The greatest impact of enterprise architecture is the strategic impact. Put the mission and the needs of the organization first.” (Matthew Kern, Clear Government Solutions)

2.2.1 Create a set of business and technology drivers from business and technology needs

3 hours

Input: Expertise from EA strategy creation team

Output: A set of business and technology drivers

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team, EA stakeholders

Meet with the EA strategy creation team and follow the steps below to begin the process of synthesizing the business and technology needs into drivers.

1. Lay out the documented business and technology needs your team gathered from PESTLE analysis, strategy document reviews, and stakeholder interviews.
2. Assess the documented business and technology needs to see if there are common themes. Consolidate those similar business and technology needs by crafting one driver for them. For example:
   • PESTLE: Influx of competitors in the marketplace causing tighter margins.
   • Document review: Improve investment quality and their value to the organization.
   • Stakeholder interview: “We can’t see what the other departments are doing; when we spend a lot of money to invest in something, we later find out the capability is already within the company.”
   • Consolidated business driver example: Help the organization align investments with the corporate strategy and departmental priorities.
3. As well, synthesize the business and technology needs that cannot be consolidated.
4. Verify the completed list of drivers with stakeholders. This is to ensure you have fully captured their needs.

Download the EA Value Proposition Template to record your findings in this activity.

When addressing business and technology drivers, an organization can expect obstacles

A pain is an obstacle that business stakeholders will face when attempting to address business and technology drivers. Identify the pains associated with each driver so that EA’s contributions can be linked to resolving obstacles to address business needs.

2.2.2 Identify the pains associated with the business and technology drivers

2 hours

Input: Expertise from EA strategy creation team and EA stakeholders

Output: An associated pain that obstructs each identified driver

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team, EA stakeholders

Call a meeting with the EA strategy creation team and any available stakeholders to identify the pains that obstruct addressing the business and technology drivers.

Take each driver and ask the questions below to the EA strategy creation team and to any EA stakeholders who are available. Record the answers to identify the pains when realizing the drivers.

1. What are your challenges in performing the activity or process today?
2. What other business activities/processes will be impacted/improved if we solve this?
3. What compliance/regulatory/policy concerns do we need to consider in any solution?
4. What are the steps in the process/activity?

Take the recorded answers and follow the steps below to create the pain statements:

1. Answers to the questions above can be long, unfocused, or spoken in a casual manner. To turn the answer into pains, refine the recorded answers into a succinct sentence that captures its meaning.
   • Recorded answer example: “I feel like there needs to be a holistic view of the organization. If we had a tool to see all the capabilities across the business, then we can figure out what investments should be prioritized.”
   • Example of pain statement: Lack of holistic view of business capabilities obstructs the organization from aligning investments with corporate strategy and departmental priorities.
2. When the list of pains has been written out, verify with the stakeholders that you have fully captured their pains.

Download the EA Value Proposition Template to record your findings in this activity.

The identified pains can be alleviated by a set of EA contributions

Set the foundations for the value proposition by brainstorming the EA contributions that can alleviate the pains.

Enterprise architecture functions can provide a diverse set of contributions to any organization – Sample

2.2.3 Identify the EA contributions that can address the pains

2 hours

Input: Expertise from EA strategy creation team

Output: EA contributions that addresses the pains that were identified

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Gather with the EA strategy creation team, take each pain, then ask and record the answers to the questions below to identify the EA contributions that would solve the pains:

1. What activities can the EA practice conduct to overcome the pain?
2. What are the core EA models that can help accurately define the problem and assist in finding appropriate resolutions?
3. What are the general EA benefits that can be associated with solving this pain?

Answers to the questions above will generate a list of activities EA can do to help alleviate the pains. Use the following steps to complete this activity:

1. Create a stronger tie between the EA contributions and pains by linking the EA contribution statement to the pain.
   • Example of pain statement: Lack of holistic view of business capabilities obstructs the organization from aligning investments with corporate strategy and departmental priorities.
   • Example of EA contributions statement: Business capability mapping shows the business capabilities of the organization and the technology that supports those capabilities in the current and target state. This provides a view for the set of investments that are needed by the organization, which can then be prioritized.
2. Verify with the stakeholders that they understand the EA contributions have been written out and how those contributions address the pains.

Download the EA Value Proposition Template to record your findings in this activity.

EA promises of value articulate EA’s commitment to the organization

• Business Goals and Technology Drivers
  A set of statements created from business and technology needs. Gathered from information sources, it communicates improvements needed.
  
  
  • Value Streams, Aspirations, Long-Term Goals
    Value streams, aspirations, long-term goals
    
    
    • EA Contributions
      EA contributions that will alleviate the obstructions. Removing the obstructions will allow EA to help satisfy business and technology needs.
      
      
      • Promise of Value
        A statement that depicts a concrete benefit the EA practice can provide for the organization in response to business and technology drivers.
        Communicate the statements in a language that stakeholders understand to complete the articulation of EA’s value proposition.

2.2.4 Create promises of value to shape the EA value proposition

2 hours

Input: Expertise from EA strategy creation team and EA stakeholders

Output: Promises of value for each business and technology driver

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team, EA stakeholders

Now that the EA contributions have been identified, identify the promises of value to articulate the value proposition.

Take each driver, then ask and record the answers to the questions below to identify the promises of value when realizing the drivers:

1. What does amazing look like if we solve this perfectly?
2. What other business activities/processes will be impacted/improved if we solve this?
3. What measures of success/change should we use to prove value of the effort (KPIs/ROI)?

Take the recorded answers and follow the steps below to create the promises of value.

1. Answers to the questions above can be long, unfocused, or spoken in a casual manner. To turn the answer into a promise of value, refine the recorded answer into a succinct sentence that captures its meaning.
   • Business driver example: Help the organization align investments with the corporate strategy and departmental priorities.
   • Recorded answer example: “If this would be solved perfectly, we would have a very easy time planning investments and investment planning hours can be spent doing other activities.”
   • Promises of value example: Increase the number of investments that have a direct tie to corporate strategy.
2. When the promises of value have been written out, verify with the stakeholders that you have fully captured their ideas.

Download the EA Value Proposition Template to record your findings in this activity.

Design an Enterprise Architecture Strategy

Phase 3

Build the EA Fundamentals

This phase will walk you through the following activities:

• Create an EA vision statement and an EA mission statement.
• Create EA goals, define EA objectives, and link them to EA goals.
• Define the EA function scope dimensions.
• Create a set of EA principles for your organization.
• Discuss current methodology.

This phase involves the following participants:

• CIO
• EA Team
• IT Leaders
• Business Leaders

Step 3.1

Realize the Importance of EA Fundamentals

Activities

• 3.1.1 Create the EA vision statement
• 3.1.2 Create the EA mission statement
• 3.1.3 Create EA goals
• 3.1.4 Define EA objectives and link them to EA goals
• 3.1.5 Record the details of each EA objective

This step will walk you through the following activities:

• Define and document the fundamentals that guide the EA function.

This step involves the following participants:

• CIO
• EA Team
• IT Leaders
• Business Leaders

Outcomes of this step

• Vision and mission statements for the EA function.
• A set of EA goals and a set of objectives to track progression toward those goals.

EA fundamentals guide the EA function

EA fundamentals include a vision statement, a mission statement, goals and objectives, and principles. They are a set of documented statements that guide the EA function. The fundamentals guide the EA function in terms of its strategy and decision making.

Info-Tech Insight

Treat the critical elements of the EA group the same way as you would a business. Create a directional foundation for EA and define the vision, mission, goals, principles, and scope necessary to deliver on the established value proposition.

The EA vision statement articulates the aspirations of the EA function

The enterprise architecture vision statement communicates a desired future state of the EA function. The statement is expressed in the present tense. It seeks to articulate the desired role of the EA function and how the EA function will be perceived.

Strong EA vision statements have the following characteristics:

• Describe a desired future
• Focus on ends, not means
• Communicate promise
• Concise, no unnecessary words
• Compelling
• Achievable
• Inspirational
• Memorable

Sample EA vision statements:

• To be a trusted partner for both the business and IT, driving enterprise effectiveness, efficiency, and agility at [Company Name].
• To be a trusted partner and advisor to both the business and IT, contributing to business-IT alignment and cost reduction at [Company Name].
• To create distinctive value and accelerate [Company Name]’s transformation.

The EA mission statement articulates the purpose of the EA function

The enterprise architecture mission statement specifies the team’s purpose or “reason of being.” The mission should guide each day’s activities and decisions. The mission statements use simple and concise terminology, speak loudly and clearly, and generate enthusiasm for the organization.

Strong EA mission statements have the following characteristics:

• Articulates EA function purpose and reason for existence
• Describes what the EA function does to achieve its vision
• Defines who the customers of the EA function are
• Compelling
• Easy to grasp
• Sharply focused
• Inspirational
• Memorable
• Concise

Sample EA mission statements:

• Define target enterprise architecture for [Company Name], identify solution opportunities, inform IT investment management, and direct solution development, acquisition, and operation compliance.
• Synergize with both the business and IT to define and help realize [Company Name]’s target enterprise architecture that enables the business strategy and optimizes IT assets, resources, and capabilities.

The EA vision and mission statements become relevant to EA stakeholders when linked to the promises of value

The process for constructing the enterprise architecture vision statement and enterprise architecture mission statement is articulated below.

Derive keywords from promises of value to begin the vision and mission statement creation process

Develop keywords by summarizing the promises of value that were derived from drivers into one word that will take on the essence of the promise. See examples below:

An inspirational vision statement is greater than the sum of the individual words

Ensure the sentence is cohesive and captures additional value outside of the keywords. The statement as a whole should be greater than the sum of the parts. Expand upon the meaning of the words, if necessary, to communicate the value. Below is an example of a finished vision statement.

Be a catalyst for IT-enabled business value delivery.

Catalyst – We will continuously interact with the business and IT to accelerate and improve results.

IT-enabled – We will ensure the optimal use of technology in enabling business capabilities to achieve business objectives.

Business – We will be perceived as a business-focused unit that understands [Company name]’s business priorities and required business capabilities.

Value delivery – EA’s value will be recognized by both business and IT stakeholders. We will track and market EA’s contribution to business value organization-wide.

A clear mission statement can include additional details surrounding the EA team’s desired and expected value

Likewise, below is a sample of connecting keywords together to form an EA mission statement:

Optimize, transform, and innovate by defining and implementing the [Company]’s target enterprise architecture.

Optimize – We collaborate with the business to analyze and optimize business capabilities and business processes to enable the agile and efficient attainment of [Company name] business objectives.

Transform – We support IT-enabled business transformation programs by building and maintaining a shared vision of the future-state enterprise and consistently communicating it to stakeholders.

Innovate – We identify and develop new and creative opportunities for IT to enable the business. We communicate the art of the possible to the business.

Defining and implementing – We engage with project teams early and guide solution design and selection to ensure alignment to the target-state enterprise architecture.

Target enterprise structure – We analyze business needs and priorities and assess the current state of the enterprise. We build and maintain the target enterprise architecture blueprints that define:

• Business capabilities and processes (business architecture)
• Data, application, and technology assets that enable business capabilities and processes (technology architecture)
• Architecture principles and standards

3.1.1 Create the EA vision statement

1 hour

Input: Identified promises of value, Vision statement test criteria

Output: EA function vision statement

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Begin the creation of the EA vision statement by following the steps below:

1. Gather the EA strategy creation team and have the promises of value from the EA value proposition laid out.
2. Select one promise of value and work with the team to identify one word that captures the essence of that promise of value.
3. Continue to the next promise of value until all of the promises of value have a keyword identified.
4. Have the identified set of keywords laid out and see if any of their meanings are similar and can be consolidated together. Consolidate similar meaning keywords.
5. Create the initial draft of the EA vision statement by linking the keywords together.
6. Check the initial draft of the vision statement against the test criteria below. Ask the team if the vision statement satisfies each of the test criteria.
   • Do you find this vision exciting?
   • Is the vision clear, compelling, and easy to grasp?
   • Does this vision somehow connect to the core purpose?
   • Will this vision be exciting to a broad base of people in the organization, not just those within the EA team?
7. Make changes to the initial draft to satisfy the test criteria. Socialize the EA vision statement with EA stakeholders to make sure it captures their needs.

3.1.2 Create the EA mission statement

1 hour

Input: Identified promises of value, Mission statement test criteria

Output: EA function mission statement

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Begin the creation of the EA mission statement by following the steps below:

1. Gather the EA strategy creation team and have the promises of value from the EA value proposition laid out.
2. Select one promise of value and work with the team to identify one word that captures the essence of that promise of value.
3. Continue to the next promise of value until all of the promises of value have a keyword identified.
4. Have the identified set of keywords laid out, and see if any of their meanings are similar and can be consolidated together. Consolidate similar meaning keywords.
5. Create the initial draft of the EA mission statement by linking the keywords together.
6. Check the initial draft of the mission statement against the following test criteria below. Ask the team if the mission statement satisfies each of the test criteria.
   • Do you find this purpose personally inspiring?
   • Does the purpose help you to decide what activities to not pursue, to eliminate from consideration? Is this purpose authentic – something true to what the organization is all about – not merely words on paper that sound nice?
   • Would this purpose be greeted with enthusiasm rather than cynicism by a broad base of people in the organization?
7. Make changes to the initial draft to satisfy the test criteria. Socialize the EA mission statement with EA stakeholders to make sure it captures their needs.

EA goals demonstrate the achievement of success of the EA function

Enterprise architecture goals define specific desired outcomes of an EA function. EA goals are important because they establish the milestones the EA function can strive toward to deliver their promises of value.

3.1.3 Create EA goals

2 hours

Input: Identified promises of value

Output: EA goals

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Begin the creation of EA goals by following the steps below:

1. Gather the EA strategy creation team and the identified promises of value from Phase 2, Create the EA Value Proposition.
2. Open the EA Goals and Objectives Template and examine the list of default EA goals already within the template.
3. Take the identified promises of value and discuss with the team if any of the EA goals in the template relate to the promises of value. Record the related EA goal and promise of value. See example below:
   • Promises of value example: Increase the number of investments that have a direct tie to corporate strategy.
   • Related EA goal example: Alignment of IT and business strategy.
4. Repeat step 3 until all identified promises of value have been examined in relation to the EA goals in the template.
5. If there are promises of value that are not related to an EA goal in the template, create EA goals to relate to those promises of value. Keep in mind that EA goals need to support the strategic outcomes produced by the promises of value. Record the EA goals in the template and document the related promises of value.

Download the EA Goals and Objectives Template to assist with completing this activity.

Starting with COBIT, select the appropriate objectives to track EA goals – Sample

Below are examples of EA goals and the objectives that track their performance:

3.1.4 Define EA objectives and link them to EA goals

2 hours

Input: Defined EA goals

Output: EA objectives linked to EA goals

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Begin the process of defining EA objectives and linking them to EA goals using the following steps:

1. Gather the EA strategy creation team and open the EA Goals and Objectives Template.
2. Have the goals laid out, and refer to the objectives already in the EA Goals and Objectives Template. Examine if any of them will fit the goals your team has created.
3. If some of the goals your team has created do not fit with the objectives in the template, begin the process of creating new objectives. Remember, EA objectives are SMART metrics that help track the progress toward the EA goals.
4. Create an EA objective and check if it is SMART by asking some of the questions below:
   • Specific: Is the objective specific to the goal? Is the objective clear to anyone who has basic knowledge of the goal?
   • Measurable: Is it possible to figure out how far the team would be away from completing the objective?
   • Agreed Upon: Does everyone involved agree the objective is the correct way to measure progress?
   • Realistic: Can the objective be met within the availability of resources, knowledge, and time?
   • Time Based: Is there a time-bound component to the goal?
5. Continue to create new objectives until each goal has an objective linked to it.

Download the EA Goals and Objectives Template to assist with completing this activity.

For each of the objectives, determine how they will be collected, reported, and implemented

Add details to the enterprise architecture objectives previously defined to increase their clarity to stakeholders.

3.1.5 Record the details of each EA objective

2 hours

Input: Defined list of EA objectives

Output: Increased detail into each defined EA objective

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Record the details of each EA objective. Use the following steps below to assist with recording the details:

1. Gather the EA strategy creation team, and open the EA Goals and Objectives Template.
2. Select one objective that has been identified and discuss the formula for calculating the objective and in what units the objective will be recorded. Record the information in the “Calculation formula” and “Unit of measure” columns in the template once they have been agreed upon.
3. Using the same objective, move to the “Data Collection” portion of the template. Discuss and record the following: the source of the data that generates the objective, the frequency of reporting on the objective, and the person responsible for reporting the objective.
4. Move to the “Reporting” portion of the template. Discuss and record the target audience for the objective and the reporting frequency and method to those audiences.
5. Examine the “Objective baseline,” “Objective status,” and “Objective target” columns. Record any measurement you may currently have in the “Objective baseline” column. Record what you would like the objective measurement to be in the “Objective target” column. Note: Keep track of the progression towards the target in the “Objective status” column in the future.
6. Select the next objective and complete steps 2–5 for that measure. Continue this process until you have recorded details for all objectives.

Download the EA Goals and Objectives Template to assist with completing this activity.

Step 3.2

Finalize the EA Fundamentals

Activities

• 3.2.1 Define the organizational coverage dimension of the EA function scope
• 3.2.2 Define the architectural domains and depth dimension
• 3.2.3 Define the time horizon dimension
• 3.2.4 Create a set of EA principles for your organization
• 3.2.5 Add the rationale and implications to the principles
• 3.2.6 Operationalize the EA principles
• 3.2.7 Discuss the need for classical methodology and/or a combination including Agile practices

This step will walk you through the following activities:

• Define the EA function scope dimensions.
• Create a set of EA principles.
• Discuss the organization’s current methodology, if any, and whether it works for the business.

This step involves the following participants:

• CIO
• EA Team
• IT Leaders
• Business Leaders

Outcomes of this step

• Defined scope of the EA function.
• A set of EA principles for your organization.
• A decision on traditional vs. Agile methodology or a blend of both.

Build the EA Fundamentals

A clear EA function scope defines the EA sandbox

The EA function scope constrains the promises of value the EA function will deliver on by taking into account factors across four dimensions. The EA function scope ensures that the EA function is not stretched beyond its current/planned means and capabilities when delivering the promised value. The four dimensions are illustrated below:

The EA function scope is influenced by the EA value proposition and previously developed EA fundamentals

Establish the EA function scope by using the EA value proposition and EA fundamentals that have been developed. After defining the EA function scope, refer back to these statements to ensure the EA function scope accurately reflects the EA value proposition and EA fundamentals.

EA scope – Organizational Coverage

The organizational coverage dimension of EA scope determines the focus of enterprise architecture effort in the organization. Coverage can be determined by specific business units, functions, departments, capabilities, or geographic areas. Info-Tech has typically seen two types of coverage based on the size of the organization.

Small and medium-size enterprise

Indicators: Full-time employees dedicated to manage its data and IT infrastructure. Individuals are IT generalists and may have multiple roles.

Recommended coverage: Typically, for small and medium-size businesses, the organizational coverage of architecture work is the entire enterprise. (Source: The Open Group, 2018)

Large enterprise

Indicators: Dedicated full-time IT staff with expertise to manage specific applications or parts of the IT infrastructure.

Recommended coverage: For large enterprises, it is often necessary to develop a number of architectures focused on specific business segments and/or geographies. In this federated model, an overarching enterprise architecture should be established to ensure interoperability and conformance to overarching EA principles. (Source: DCIG, 2011)

EA objectives track the progression towards the target set by EA goals

Enterprise architecture objectives are specific metrics that help measure and monitor progress towards achieving an EA goal. Objectives are SMART.

Download the EA Goals and Objectives Template to see examples between the relationship of EA goals to objectives.

Measure the EA strategy effectiveness by tracking the benefits it provides to the corporate business goals

The success of the EA function is influenced by the following:

• The delivery of EA-enabled business outcomes that are most important to the enterprise.
• The alignment between the business and IT from a planning perspective.
• Improvements in the corporate business goals due to EA contributions (standardization, rationalization, reuse, etc.).

3.2.1 Define the organizational coverage dimension of the EA function scope

2 hours

Input: EA value proposition, Previously defined EA fundamentals

Output: Organizational coverage dimension of EA scope defined

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Define the organizational coverage of the EA function scope using the following steps below:

1. Gather the EA strategy creation team. As well, gather the EA value proposition, the EA vision and mission statements, and the EA goals and objectives your team has already created.
2. Ask the team to read each of the documents gathered in the previous step. This ensures the concepts are fresh in the team members’ minds when defining the EA function scope organizational coverage.
3. Consider how much of the organization the EA function would need to cover. Refer to the gathered materials to assist with your decision. For example:
   • EA mission statement: Optimize, transform, and innovate by defining and implementing the [Company]’s target enterprise architecture.
   • Implications on organizational coverage: If the purpose of the EA function is to help optimize, transform, and innovate with target-state architecture mapping, then the scope should cover the entire organization. Only by mapping the entire organization’s architecture can the EA function assist with optimizing, transforming, and innovating.
4. Work with the EA strategy creation team to examine all the gathered materials and document the implications on organization coverage as shown in step 3.
5. Discuss with the team and select the organizational coverage level that best fits the documented implications for all the gathered materials. Refer back to the gathered materials and make any changes necessary to ensure they support the selected organizational coverage.

EA scope – Architectural Domains

A complete enterprise architecture should address all five architectural domains. The five architectural domains are business, data, application, infrastructure, and security.

“The realities of resource and time constraints often mean there is not enough time, funding, or resources to build a top-down, all-inclusive architecture encompassing all four architecture domains. Build architecture domains with a specific purpose in mind.” (The Open Group, 2018)

Each architectural domain creates a different view of the organization

Below are the definitions of different domains of enterprise architecture (Info-Tech perspective; others can be identified as well, e.g. Integration Architecture).

EA scope – Depth

EA scope depth defines the architectural detail for each EA domain that the organization has selected to pursue. The level of depth is broken down into four levels. The level of depth the organization decides to pursue should be consistent across the domains.

Each architectural depth level contains a set of key artifacts

The graphic below depicts examples of the key artifacts that each domain of architecture would produce at each depth level.

3.2.2 Define the architectural domains and depth dimension of the EA function scope

2 hours

Input: EA value proposition, Previously defined EA fundamentals

Output: Architectural domain and depth dimensions of EA scope defined

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Define the EA function scope for your organization using the following steps below:

1. Gather the EA strategy creation team. As well, gather the EA value proposition, the EA vision and mission statements, and the EA goals and objectives that your team has already created.
2. Ask the team to read each of the documents gathered in the previous step. This ensures the concepts are fresh in the team members’ minds when defining the architectural domains and depth of the EA function scope.
3. Consider the architectural domains and the depth those domains need to reach. Refer to the gathered materials to assist with your decision. For example:
   • Promise of value: Increase the number of IT investments with a direct tie to business strategy.
   • Implications on architectural domains: The EA function will need business architecture. Business architecture generates business capability mapping, which will anticipate what IT investments are needed for the future.
   • Implications on depth: Depth for business architecture needs to reach a logical level to encompass business capabilities.
4. Work with the EA strategy creation team to examine all the gathered materials and document the implications on architectural domains and depth as shown in step 3.
5. Discuss with the team and select the architectural domains and the depth for each domain that best fits the documented implication. Refer back to the gathered materials and make any changes necessary to ensure they support the selected architectural domains and depth.

EA scope – Time Horizon

The EA scope time horizon dictates how long to plan for the architecture.

It is important that the EA team’s work has an appropriate planning horizon while avoiding two extremes:

1. A planning horizon that is too short focuses on immediate operational goals and strategic quick wins, missing the “big picture,” and fails to support the achievement of strategic long-term enterprise goals.
2. A planning horizon that is too long is at a higher risk of becoming irrelevant.

Target the same strategic planning horizon as your business. Additionally, consider the following recommendations:

3.2.3 Define the time horizon dimension of the EA function scope

2 hours

Input: EA value proposition, Previously defined EA fundamentals

Output: Time horizon dimension of EA scope defined

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Define the EA function scope for your organization using the following steps below:

1. Gather the EA strategy creation team. As well, gather the EA value proposition, the EA vision and mission statements, and the EA goals and objectives your team has already created.
2. Ask the team to read each of the documents gathered in the previous step. This ensures the concepts are fresh in the team members’ minds when crafting the EA function scope.
3. Consider the time horizons of the EA function scope. Refer to the gathered materials to assist with your decision. For example:
   • EA Objective: Increase the percentage of enterprise strategic goals and requirements supported by IT strategic goals by 30% in the next 3 years.
   • Implications on time horizon: Because it will take 3 years to measure the success of these EA objectives, the time horizon may need to be 3 years.
4. Work with the EA strategy creation team to examine all the gathered materials and document the implications on time horizon as shown in step 3.
5. Discuss with the team and select the time horizon that best fits the documented implication. Refer back to the gathered materials and make any changes necessary to ensure they support the selected architectural time horizon.

EA principles capture the EA value proposition essence and provide guidance for the decisions that impact architecture

EA principles are shared, long-lasting beliefs that guide the use of IT in constructing, transforming, and operating the enterprise by informing and restricting target-state enterprise architecture design, IT investment portfolio management, solution development, and procurement decisions.

EA principles must be carefully constructed to make sure they are adhered to and relevant

Info-Tech has identified a set of characteristics that EA principles should possess. Having these characteristics ensures the EA principles are relevant and followed in the organization.

Review ten universal EA principles to determine if your organization wishes to adopt them

3.2.4 Create a set of EA principles for your organization

2 hours

Input: Info-Tech’s ten universal EA principles, Identified promises of value

Output: A defined set of EA principles for your organization

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Create a set of EA principles for your organization using the steps below:

1. Gather the EA strategy creation team, download the EA Principles Template – EA Strategy, and have the identified promises of value opened.
2. Select one universal principle and relate it to the promises of value by discussing with the EA strategy creation team. If there is a relation, record “Yes” in the template on the slide “Select the applicability of 10 universally accepted EA principles.” See example below:
   • Universal principle: Enterprise value focus – We aim to provide maximum long-term benefits to the enterprise as a whole while optimizing total costs of ownership and risks.
   • Related promise of value example: Increase the number of investments that have a direct tie with corporate strategy.
3. Continue the process in step 2 until all ten universal EA principles have been examined. If there is a universal principle that is unrelated to a promise of value, discuss with the team whether the principle still needs to be included. If the principle is not included, record “No” in the template on the slide “Select the applicability of 10 universally accepted EA principles.”
4. If there are any promises of value that are not captured by the universally accepted EA principles, the team may choose to create new principles. Create the new principles in the format below and record them in the template.
   • Name: The name of the principle, in a few words.
   • Statement: A sentence that expands on the “Name” section and explains what the principle achieves.

Download the EA Principles Template – EA Strategy to document this step.

Organizational stakeholders are more likely to follow EA principles when a rationale and an implication are provided

After defining the set of EA principles, ensure they are all expanded upon with a rationale and implications. The rationale and implications ensure principles are more likely to be followed because they communicate why the principles are important and how they are to be used.

3.2.5 Add the rationale and implications to the principles that have been created

2 hours

Input: Identified set of EA principles

Output: EA principles that have rationale and implications

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Add the rationale and implication of each EA principle that your organization has selected using the following steps:

1. Gather the EA strategy creation team and open the EA Principles Template – EA Strategy.
2. Examine the EA Principles Template – EA Strategy. Look for the detailed descriptions of all the applicable EA universal principles, and discuss with the team whether the pre-populated rationale and implications need to be changed.
3. Make sure all the rationale and implication sections of the applicable universal EA principles have been examined. Record the changes on the slide devoted to each principle in the template.
4. Examine any new principles created outside of the universal EA principles. Create the rationale and implication sections for each of those principles. Use the slide “Review the rationale and implications for the applicable universal principles” in the EA Principles Template – EA Strategy to assist with this step.

Download the EA Principles Template – EA Strategy to document this step.

3.2.6 Operationalize the EA principles to ensure they are used when decisions are being made

1-2 hours

Input: Defined set of EA principles

Output: EA principles are successfully operationalized

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Begin to operationalize the EA principles by reviewing the proposed principles with business and technology leadership to secure their approval.

1. Publish the list of principles, their rationale, and their implications.
2. Include the principles in any existing policies that guide decision making for the use of technology within the business.
3. Provide existing governance bodies with the authority to enforce adherence to principles, and communicate the waiver process.
4. Ensure that project-level teams are aware of the principles and have at least one champion guiding the decisions of the team.

Review a use case for the utilization of EA principles – Sample

After operationalizing the EA principles for your organization, the organization can now use those principles to guide and inform its IT investment decisions. Below is an example of a scenario where EA principles were used to guide and inform an IT investment decision.

Organization wants to provision an application but it needs to decide how to do so, and it considers the relevant EA principles:

• Reuse › buy › build
• Managed security
• Innovation

The organization has decided to go with a specialized vendor, even though it normally prefers to reuse existing components. The vendor has experience in this domain, understands the data security implications, and can help the organization mitigate risk. Lastly, the vendor is known for providing new solutions on a regular basis and is a market leader, making it more likely to provide the organization with innovative solutions.

An oil and gas company created EA fundamentals to guide the EA function

CASE STUDY

Industry: Oil & Gas
Source: Info-Tech

Challenge

As an enterprise architecture function starting from ground zero, the organization did not have the EA fundamentals in place to guide the EA function. Further, the organization also did not possess an EA function scope to define the boundaries of the EA function.

Due to the lack of EA scope, the EA function did not know which part of the organization to provide contributions toward. A lack of EA fundamentals caused confusion regarding the future direction of the EA function.

Solution

Info-Tech worked with the EA team to define the different components of the EA fundamentals. This included EA vision and mission statements, EA goals and objectives, and EA principles.

Additionally, Info-Tech worked with the EA team to define the EA function scope.

These EA strategy components were created by examining the needs of the business. The components were aligned with the identified needs of the EA stakeholders.

Results

The defined EA function scope helped set out the responsibilities of the enterprise architecture function to the organization.

The EA vision and mission statements and EA goals and objectives were used to guide the direction of the EA function. These fundamentals helped the EA function improve its maturity and deliver on its promises.

The EA principles were used in IT review boards to guide the decisions on IT investments in the organization.

3.2.7 Discuss the need for a classical methodology and/or a combination including Agility practices

1 hour

Input: Existing methodologies

Output: Decisions about need of agility, ceremonies, and protocols to be used

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Add the rationale and implication of adopting an Agile methodology and/or a combination with a traditional methodology.

1. Is there an EA methodology adopted by the organization? Is there a classical one, or is it purely Agile?
2. What would need to happen to address the business goals of the organization (e.g. is there a need to be more agile?)? Do you need to have more decisions centralized (e.g. to adopt certain standards, security controls)?
3. Where on the decentralization continuum does your organization need to be?
4. What role would Enterprise Architects have (would they need to be part of existing ceremonies? Would they need to blend traditional and agile processes?)?
5. If a customized methodology is required, identify this as an item to be included as part of the EA roadmap (can be run as a Agile Enterprise Operating Model workshop).

Design an Enterprise Architecture Strategy

Phase 4

Design the EA Services

This phase will walk you through the following activities:

• Select relevant EA services
• Finalize the set of services and secure approval

This phase involves the following participants:

• CIO
• EA Team
• IT Leaders
• Business Leaders

Step 4.1

Select Relevant EA Services

Activities

• 4.1.1 Select the EA services relevant to your organization
• 4.1.2 Identify if your organization needs additional services outside of the recommended list
• 4.1.3 Complete all of the service catalog fields for each service to show the organization how each can be consumed

This step will walk you through the following activities:

• Communicate a definition of EA services.
• Link services to the previously identified EA contributions.

This step involves the following participants:

• CIO
• EA Team
• IT Leaders
• Business Leaders

Outcomes of this step

• A defined set of services the EA function will provide.
• An EA service catalog that demonstrates to the organization how each provided service can be accessed and consumed.

Design the EA Services

The definition of EA services will allow the group to communicate how they can add value to EA stakeholders

Enterprise architecture services are a set of activities the enterprise architecture function provides for the organization. EA services are important because the services themselves provide a set of benefits for the organization.

Enterprise Architecture Services

• A means of delivering value to the business by facilitating outcomes service consumers want to achieve.
• EA services are defined from the business perspective using business language.
• EA services are designed to enable required business activities.

Viewing the EA function from a service perspective resolves the following pains:

• Business users don’t know how EA can assist them.
• Business users don’t know how to request access to a service with multiple sources of information available.
• EA has no way of managing expectations for their users, which tend to inflate.
• EA does not have a holistic view of all the services they need to provide.

Link EA services to the previously identified EA contributions

Previously identified EA contributions can be linked to EA services, which helps the EA function identify a set of EA services that are important to business stakeholders. Further, linking the EA contributions to EA services can define for the EA function the services they need to provide.

Demonstrate EA service value by linking them to EA contributions

1. EA stakeholders generate drivers
2. Drivers have pains that obstruct them
3. Pains are alleviated by EA contributions
4. EA contributions help define the EA services needed
   
   
   • EA Contributions
     Example EA contribution: Business capability mapping shows the business capabilities of the organization and the technology that supports those capabilities in the current and target state. This provides a view for the set of investments that are needed by the organization, which can then be prioritized.
     
     
     • EA Services
       Example EA service: Target-state business capability mapping

4.1.1 Select the EA services relevant to your organization

2 hours

Input: Previously identified EA contributions from the EA value proposition

Output: A set of EA services selected for the organization from Info-Tech’s defined set of EA services

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Begin the selection of EA services relevant to your organization by following the steps below:

1. Gather the EA strategy creation team, and the list of identified EA contributions that the team formulated during Phase 2.
2. Open the EA Service Planning Tool, select one sub-service, and read its definition.
3. Based on the definition of the sub-service, refer back to the identified list of EA contributions and check if there is an identified EA contribution that matches the service.
   • If the EA service definitions matches one of the identified EA contributions, then that EA service is relevant to the organization. If there is no match, then the EA service may not be relevant to the organization.
4. Highlight the sub-service if it is relevant. Add a checkmark beside the EA contribution if it is addressed by a sub-service.
5. Select the next sub-service and repeat steps 2-4. Continue down the list of sub-services in the EA Service Planning Tool until all sub-services have been examined.

Download the EA Service Planning Tool to assist with this activity.

4.1.2 Identify if your organization needs additional services outside of the recommended list

2 hours

Input: Expertise from the EA strategy creation team, Previously defined EA contributions

Output: A defined set of EA services outside the list Info-Tech has recommended

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Identify if services outside of the recommended list in the EA Service Planning Tool are relevant to your organization by using the steps below:

1. Gather the EA strategy creation team and the list of EA contributions with checkmarks for contributions addressed by EA services.
2. Take the list of unaddressed EA contributions and select one EA contribution in the list. Assess whether an EA service is required to address the EA contribution. Ask the group the following:
   • Can the EA practice provide the service now?
   • Does providing this EA service line up with the previously defined EA function scope and EA fundamentals?
3. Decide if a service needs to be provided for that contribution. If yes, give the service a name and a definition.
4. Then, decide if the service fits into one of the service categories in the EA Service Planning Tool. If there is no fit, create another service category. Define the new service category as well.
5. Continue to the next unaddressed EA contribution and repeat steps 2-4. Repeat this process until all unaddressed EA contributions have been assessed.

Download the EA Service Planning Tool to assist with this activity.

Create the EA service catalog to demonstrate to the organization how each service can be accessed and used

The EA service catalog is an important communicator to the business. It shifts the technology-oriented view of EA to services that show direct benefit to the business. It is a tool that communicates and provides clarity to the business about the EA services that are available and how those services can assist them.

Info-Tech Insight

The EA group must provide the organization with a list of services it will provide to demonstrate value. This will help the team manage expectations and the workload while giving organizational stakeholders a clear understanding of how to engage EA and what lies outside of EA’s involvement.

4.1.3 Complete all the service catalog fields for each service to show the organization how each can be consumed

4 hours

Input: Expertise from the EA strategy creation team

Output: Service details for each EA service in your organization

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Complete the details for each relevant EA service in the EA Service Planning Tool by using the following steps:

1. Gather the EA strategy creation team, and open the EA Service Planning Tool.
2. Select one of the services you have defined as relevant and begin the process of defining the service. Define the following fields:
   • Should EA deliver this service? Should the EA team provide this service? (Yes/No)
   • Service trigger: What trigger will signal the need for the service?
   • Service provider: Who in the EA team will provide the service?
   • Service requestor: Who outside of the EA team has requested this service?
3. Have the EA strategy creation team discuss and define each of the fields for the service above. Record the decisions in the corresponding columns of the EA Service Planning Tool.
4. Select the next required EA service, and repeat steps 2 and 3. Repeat the process until all required EA services have their details defined.

Download the EA Service Planning Tool to assist with this activity.

Step 4.2

Finalize the Set of Services and Secure Approval

Activities

• 4.2.1 Secure approval for your organization’s EA strategy
• 4.2.2 Map the EA contributions to business goals
• 4.2.3 Quantify the EA effectiveness
• 4.2.4 Determine the role of the architect in the Agile ceremonies of the organization

This step will walk you through the following activities:

• Present the EA strategy to stakeholders.
• Determine service details for each EA service in your organization.

This step involves the following participants:

• CIO
• EA Team
• IT Leaders
• Business Leaders

Outcomes of this step

• Secured approval for your organization’s EA strategy.
• Measure effectiveness of EA contributions.

Design the EA Services

Present the EA strategy to stakeholders to secure approval of the finalized EA strategy

For the EA strategy to be successfully executed, it must be approved by the EA stakeholders. Securing their approval will increase the likelihood of success in the execution of the EA operating model.

4.2.1 Secure approval of your organization’s EA strategy

1 hour

Input: Completed EA Function Strategy Template, Expertise from EA strategy creation team

Output: Approval of the EA strategy

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team, Key EA stakeholders

Use the following steps to assist with securing approval for your organization’s EA strategy:

1. Call a meeting between the EA strategy creation team and the identified key EA stakeholders. Key stakeholders were defined in activity 2.1.1.
2. Open the completed EA Function Strategy Template. Use it to help you discuss the merits of the EA strategy with the key stakeholders.
3. Discuss with the stakeholders any concerns and modifications they wish to make to the strategy. If detailed questions are asked, refer to the other templates created as a part of this blueprint. Record those concerns and address them at a later time.
4. After presenting the EA strategy, ask the stakeholders for approval. If stakeholders do not approve, refer back to the concerns documented in step 3 and inquire if addressing the concerns will result in approval.
5. If applicable, address stakeholder concerns with the EA strategy.
6. Once EA strategy has been approved, publish the EA strategy to ensure there is a mutual understanding of what the EA function will provide to the organization. Move on to Info-Tech’s Define an EA Operating Model blueprint to begin executing upon the EA strategy.

Use the EA Function Strategy Template to assist with this activity.

4.2.2 Map the EA contributions to the business goals

3 hours

Input: Expertise from EA strategy creation team

Output: Service details for each EA service in your organization

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Map EA contributions/services to the goals of the organization.

1. Start from the business goals of the organization.
2. Determine Business and IT drivers.
3. Identify EA contributions that help achieve the business goals.

Download the EA Service Planning Tool to assist with this activity.

Trace EA drivers to business goals (sample)

4.2.3 Quantify the EA effectiveness

1 hour

Input: Expertise from EA strategy creation team

Output: Defined KPIs (SMART)

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Use SMART key performance indicators (KPIs) to measure EA contributions vis-à-vis business goals.

Measure the EA strategy effectiveness by tracking the benefits it provides to the corporate business goals

The success of the EA function spans across three main dimensions:

• The delivery of EA-enabled business outcomes that are most important to the enterprise.
• The alignment between the business and IT from a planning perspective.
• Improvements in the corporate business goals due to EA contributions (standardization, rationalization, reuse, etc.).

The oil and gas company began the EA strategy creation by crafting an EA value proposition

CASE STUDY

Industry: Oil & Gas
Source: Info-Tech

Challenge

The oil and gas corporation faced a great challenge in communicating the role of enterprise architecture to the organization. Although it has the mandate from the CIO to create the EA function, there was no function in existence. Thus, few people in the organization understood EA.

Because of this lack of understanding, the EA function was often undermined. The EA function was seen as an order taker that provided some services to the organization.

Solution

First, Info-Tech worked with the enterprise architecture team to define the EA stakeholders in the organization.

Second, Info-Tech interviewed those stakeholders to identify their needs. The needs were analyzed and pains that would obstruct addressing those needs were identified.

Lastly, Info-Tech worked with the team to identify common EA contributions that would solve those pains.

Results

Through this process, Info-Tech helped the team at the oil and gas company create a document that could communicate the value of EA. Specifically, the document could articulate the issues obstructing each stakeholder from achieving their needs and how enterprise architecture could solve them.

With this value proposition, EA was able to demonstrate value to important stakeholders and set itself up for success in its future endeavors.

The oil and gas company defined EA services to provide and communicate value to the organization

CASE STUDY

Industry: Oil & Gas
Source: Info-Tech

Challenge

As a brand new enterprise architecture function, the EA function at the oil and gas corporation did not have a set of defined EA services. Because of this lack of EA services, the organization did not know what contributions EA could provide.

Further, without the definition of EA services, the EA function did not set out explicit expectations to the business. This caused expectations from the business to be different from those of the EA function, resulting in friction.

Solution

Info-Tech worked with the EA function at the oil and gas corporation to define a set of EA services the function could provide.

The Info-Tech team, along with the organization, assessed the business and technology needs of the stakeholder. Those needs acted as the basis for the EA function to create their initial services.

Additionally, Info-Tech worked with the team to define the service details (e.g. service benefits, service requestor, service provider) to communicate how to provide services to the business.

Results

The defined EA services led the EA function to communicate what it could provide for the business. As well, the defined services clarified the level of expectation for the business.

The EA team was able to successfully service the business on future projects, adding value through their expertise and knowledge of the organization’s systems. Because of the demonstrated value, EA has been given greater responsibility throughout the organization.

4.2.4 Determine the role of the architect in the Agile ceremonies of the organization

1 hour

Input: Expertise from EA strategy creation team

Output: Participation in Agile Pre- and Post-PI, Architect Syncs, etc.

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: EA strategy creation team

Document the involvement of the enterprise architect in your organization’s Agile ceremonies.

1. Document the Agile ceremonial used in the organization (based on SAFe or other Agile approaches).
2. Determine ceremonies the System Architect will participate in.
3. Determine ceremonies the Solution Architect will participate in
4. Determine ceremonies the Enterprise Architect will participate in.
5. Determine Architect Syncs, etc.

Note: Roles and responsibilities can be further defined as part of the Agile Enterprise Operating Model.

The EA role relative to agility

The enterprise architecture role relative to agility specifies the architecture roles as well as the agile protocols they will participate in.
This statement will guide every architect’s participation in planning meetings, pre- and post-PI, syncs, etc. Use simple and concise terminology; speak loudly and clearly.

A strong EA role statement relative to agility has the following characteristics:

• Describes what different architect roles do to achieve the vision of the organization
• In an agile way
• Compelling
• Easy to grasp
• Sharply focused
• Specific
• Concise

Sample EA mission relative to agility

• Create strategies that provide guardrails for the organization, provide standards, reusable assets, accelerators, and other decisions at the enterprise level that support agility.
• Participate in pre-PI and post-PI planning activities, architect syncs, etc.

A clear statement can include additional details surrounding the Enterprise Architect role relative to agility

Likewise, below is a sample of connecting keywords together to form an enterprise architect role statement, relative to agility.

Optimize, transform, and innovate by defining and implementing the [Company]’s target enterprise architecture in an agile way.

Optimize – We collaborate with the business to analyze and optimize business capabilities and business processes to enable the agile and efficient attainment of [Company name] business objectives.

Transform – We support IT-enabled business transformation programs by building and maintaining a shared vision of the future-state enterprise and consistently communicating it to stakeholders.

Innovate – We identify and develop new and creative opportunities for IT to enable the business. We communicate the art of the possible to the business.

Defining and implementing – We engage with project teams early and guide solution design and selection to ensure alignment to the target-state enterprise architecture and provide guidance as well as accelerators.

Target enterprise structure in an agile way – We analyze business needs and priorities and assess the current state of the enterprise. We build and maintain the target enterprise architecture blueprints that define:

• Business capabilities and processes (business architecture)
• Data, application, and technology assets that enable business capabilities and processes (technology architecture)
• Architecture principles
• Standards and reusable assets
• Continuous exploration, integration, and deployment

Move to the enterprise architecture operating model blueprint to execute your EA strategy

Once approved, move on to Info-Tech’s Define an EA Operating Model blueprint to begin executing on the EA strategy.

Enterprise architecture strategy

This blueprint focuses on setting up an enterprise architecture function, with the goal of maximizing the likelihood of EA success. The blueprint puts into place the components that will align the EA function with the needs of the stakeholders, guide the decision making of the EA function, and define the services EA can provide to the organization.

Agile enterprise architecture operating model

An EA operating model helps you design and organize the EA function, ensuring adherence to architectural standards and delivery of EA services. This blueprint acts on the EA strategy by creating methods to engage, govern, and develop architecture as a part of the larger organization.

Research contributors and experts

Milena Litoiu Senior Director Research and Advisory, Enterprise Architecture Milena Litoiu is a Principal/Senior Manager of Enterprise Architecture. She is Master Certified with The Open Group and she sits on global architecture certification boards. Other certifications include SABSA, CRISC, and Scaled Agile Framework. She started as a certified IT Architect at IBM and has over 25 years experience in this field. Milena teaches enterprise architecture at the University of Toronto and led the development of the Enterprise Architecture Certificate (a course on EA fundamentals, one on EA development and Governance, and one on Trends going forward). She has a Masters in Engineering, an executive MBA, and extensive experience in enterprise architecture as well as methodologies and tools.

Lan Nguyen IT Executive, Mentor, Managing Partner at CIOs Beyond Borders Group Lan Nguyen has a wealth of experience driving the EA strategy and the digital transformation success at the City of Toronto. Lan is a university lecturer on topics like strategic leadership in the digital enterprise. Lan is a Managing Partner at CIOs Beyond Borders Group. Lan specializes in Partnership Development; Governance; Strategic Planning, Business Development; Government Relations; Business Relationship Management; Leadership Development; Organizational Agility and Change Management; Talent Management; Managed Services; Digital Transformation; Strategic Management of Enterprise IT; Shared Services; Service Quality Improvement, Portfolio Management; Community Development; and Social Enterprise.

Thanks also go to all experts who contributed to previous versions of this document:

• Zachary Curry, Director, Enterprise Architecture and Innovation, FMC Technologies
• Pam Doucette, Director of Enterprise Architecture, Tufts Health Plan
• Joe Evers, Consulting Principal, JcEvers Consulting Corp
• Cameron Fairbairn, Enterprise Architect, Agriculture Financial Services Corporation (AFSC)
• Michael Fulton, Chief Digital Officer & Senior IT Strategy & Architecture Consultant at CC and C Solutions
• Tom Graves, Principal Consultant, Tetradian Consulting
• (JB) Brahmaiah Jarugumilli, Consultant, Federal Aviation Administration – Enterprise Services Center
• Huw Morgan, IT Research Executive, Enterprise Architect
• Serge Parisien, Manager, Enterprise Architecture, Canada Mortgage & Housing Corporation

Additional interviews were conducted but are not listed due to privacy and confidentiality requirements.

Bibliography

“Agile Manifesto for Software Development,” Ward Cunningham, 2001. Accessed July 2021.

“ArchiMate 3.1 Specification.” The Open Group, n.d. Accessed July 2021.

“Are Your IT Strategy and Business Strategy Aligned?” 5Q Partners, 8 Jan. 2015. Accessed Oct. 2016.

Bowen, Fillmore. “How agile companies create and sustain high ROI.” IBM. Accessed Oct. 2016.

Burns, Peter, et al. Building Value through Enterprise Architecture: A Global Study. Booz & Co. 2009. Web. Nov. 2016.

“Demonstrating the Value of Enterprise Architecture in Delivering Business Capabilities.” Cisco, 2008. Web. Oct. 2016.

“Disciplined Agile.” Disciplined Agile Consortium, n.d. Web.

Fowler, Martin. “Building Effective software.” MartinFowler.com. Accessed July 2021.

Fowler, Martin. “Agile Software Guide.” MartinFowler.com, 1 Aug. 2019.

Haughey, Duncan. “SMART Goals.” Project Smart, 2014. Accessed July 2021.

Kern, Matthew. “20 Enterprise Architecture Practices.” LinkedIn, 3 March 2016. Accessed Nov. 2016.

Lahanas, Stephen. “Infrastructure Architecture, Defined.” IT Architecture Journal, Sept. 2014. Accessed July 2021.

Lean IX website, Accessed July 2021.

Litoiu, Milena. Course material from Information Technology 2690: Foundations of Enterprise Architecture, 2021, University of Toronto.

Mocker, M., J.W. Ross, and C.M. Beath. “How Companies Use Digital Technologies to Enhance Customer Findings.” MIT CISR Working Paper No. 434, Feb. 2019. Qtd in Mayor, Tracy. “MIT expert recaps 30-plus years of enterprise architecture.” MIT Sloan, 10 Aug. 2020. Web.

“Open Agile ArchitectureTM.” The Open Group, 2020. Accessed July 2021.

“Organizational Design Framework – The Transformation Model.” The Center for Organizational Design, n.d. Accessed 1 Aug. 2020.

Ross, Jeanne W. et al. Enterprise Architecture as Strategy: Creating a Foundation for Business Execution. Harvard Business School Press, 2006.

Rouse, Margaret. “Enterprise Architecture (EA).” SearchCIO, June 2007. Accessed Nov. 2016.

“SAFe 5 for Lean Enterprises.” Scaled Agile Framework, Scaled Agile, Inc. Accessed 2021.

“Security Architecture.” Technopedia, updated 20 Dec. 2016. Accessed July 2021.

“Software Engineering Institute.” Carnegie Mellon University, n.d. Web.

“TOGAF 9.1.” The Open Group, 2011. Accessed Oct. 2016.

“TOGAF 9.2.” The Open Group, 2018. Accessed July 2021.

Thompson, Rachel. “Stakeholder Analysis: Winning Support for Your Projects.” MindTools, n.d. Accessed July 2021.

Wendt, Jerome M. “Redefining ‘SMB’, ‘SME’ and ‘Large Enterprise.’” DCIG, 25 Mar. 2011. Accessed July 2021.

Wilkinson, Jim. “Business Drivers.” The Strategic CFO, 23 July 2013. Accessed July 2021.

Zachman, John. “Conceptual, Logical, Physical: It is Simple.” Zachman International, 2011. Accessed July 2021.

Improve Security Governance With a Security Steering Committee

Build an inclusive committee to enable holistic strategic decision making.

ANALYST PERSPECTIVE

Our understanding of the problem

This Research Is Designed For:

• CIOs
• CISOs
• IT/Security Leaders

This Research Will Help You:

• Develop an effective information security steering committee (ISSC) that ensures the right people are involved in critical decision making.
• Ensure that business and IT strategic direction are incorporated into security decisions.

This Research Will Also Assist:

• Information Security Steering Committee (ISSC) members

This Research Will Help Them:

• Formalize roles and responsibilities.
• Define effective security metrics.
• Develop a communication plan to engage executive management in the organization’s security planning.

Executive summary

Situation

• Successful information security governance requires a venue to address security concerns with participation from across the entire business.
• Without access to requisite details of the organization – where we are going, what we are trying to do, how the business expects to use its technology – security can not govern its strategic direction.

Complication

• Security is still seen as an IT problem rather than a business risk, resulting in security governance being relegated to the existing IT steering committee.
• Security is also often positioned in the organization where they are not privy to the details of the organization’s overall strategy. Security leaders struggle to get the full enterprise picture.

Resolution

• Define a clear scope of purpose and responsibilities for the Information Security Steering Committee to gain buy-in and consensus for security governance receiving independent agenda time from the broader IT organization.
• Model the information flows necessary to provide the steering committee with the intelligence to make strategic decisions for the enterprise.
• Determine membership and responsibilities that shift with the evolving security landscape to ensure participation reflects interested parties and that money being spent on security mitigates risk across the enterprise.
• Create security metrics that are aligned with committee members’ operational goals to incentivize participation.
• Create clear presentation material and strategically oriented meeting agendas to drive continued participation from business stakeholders and executive management.

Info-Tech Insight

1. Work to separate the ISSC from the IT Steering Committee (ITSC). Security transcends the boundaries of IT and needs an independent, eclectic approach to make strategic decisions.
2. Be the lawyer, not the cop. Ground your communications in business terminology to facilitate a solution that make sense to the entire organization.
3. Develop and stick to the agenda. Continued engagement from business stakeholders requires sticking to a strategic level-focused agenda. Dilution of purpose will lead to dilution in attendance.

Empower your security team to act strategically with an ISSC

Establishing an Information Security Steering Committee (ISSC)

Even though security is a vital consideration of any IT governance program, information security has increasingly become an important component of the business, moving beyond the boundaries of just the IT department.

This requires security to have its own form of steering, beyond the existing IT Steering Committee, that ensures continual alignment of the organization’s security strategy with both IT and business strategy.

An ISSC should have three primary objectives:

• Direct Strategic Planning The ISSC formalizes organizational commitments to strategic planning, bringing visibility to key issues and facilitating the integration of security controls that align with IT and business strategy.
• Institute Clear Accountability The ISSC facilitates the involvement and commitment of executive management through clearly defined roles and accountabilities for security decisions, ensuring consistency in participation as the organization’s strategies evolve.
• Optimize Security Resourcing The ISSC maximizes security by monitoring the implementation of the security strategic plan, making recommendations on prioritization of effort, and securing necessary resources through the planning and budgeting processes, as necessary.

What does the typical ISSC do?

Ensuring proper governance over your security program is a complex task that requires ongoing care and feeding from executive management to succeed.

Your ISSC should aim to provide the following core governance functions for your security program:

1. Define Clarity of Intent and Direction How does the organization’s security strategy support the attainment of the business and IT strategies? The ISSC should clearly define and communicate strategic linkage and provide direction for aligning security initiatives with desired outcomes.
2. Establish Clear Lines of Authority Security programs contain many important elements that need to be coordinated. There needs to be clear and unambiguous authority, accountability, and responsibility defined for each element so lines of reporting/escalation are clear and conflicting objectives can be mediated.
3. Provide Unbiased Oversight The ISSC should vet the organization’s systematic monitoring processes to make certain there is adherence to defined risk tolerance levels and ensure that monitoring is appropriately independent from the personnel responsible for implementing and managing the security program.
4. Optimize Security Value Delivery Optimized value delivery occurs when strategic objectives for security are achieved and the organization’s acceptable risk posture is attained at the lowest possible cost. This requires constant attention to ensure controls are commensurate with any changes in risk level or appetite.

Formalize the most important governance functions for your organization

Creation of an ISSC is deemed the most important governance and oversight practice that a CISO can implement, based on polling of IT security leaders analyzing the evolving role of the CISO.

Relatedly, other key governance practices reported – status updates, upstream communications, and executive-level sponsorship – are within the scope of what organizations traditionally formalize when establishing their ISSC.

Despite the clear benefits of an ISSC, organizations are still falling short

83% of organizations have not established formal steering committees to evaluate the business impact and risks associated with security decisions. (Source: 2017 State of Cybersecurity Metrics Report)

70% of organizations have delegated cybersecurity oversight to other existing committees, providing security limited agenda time. (Source: PwC 2017 Annual Corporate Director Survey)

"This is a group of risk managers an institution would bring together to deal with a response anyway. Having them in place to do preventive discussions and formulate policy to mitigate the liability sets and understand compliance obligations is just powerful." (Kirk Bailey, CISO, University of Washington)

Prevent the missteps that make 9 out of 10 steering committees unsuccessful

Why Do Steering Committees Fail?

1. A lack of appetite for a steering committee from business partners. An effective ISSC requires participation from core members of the organization’s leadership team. The challenge is that most business partners don’t understand the benefits of an ISSC and the responsibilities aren’t tailored to participants’ needs or interests. It’s the CISO’s (or senior IT/security leader’s) responsibility to make this case to stakeholders and right-size the committee responsibilities and membership.
2. ISSC committees are given inappropriate responsibilities. The steering committee is fundamentally about decision making; it’s not a working committee. Security leadership typically struggles with clarifying these responsibilities on two fronts: either the responsibilities are too vague and there is no clear way to execute on them within a meeting or responsibilities are too tactical and require knowledge that participants do not have. Responsibilities should determine who is on the ISSC, not the other way around.
3. Lack of process around execution. An ISSC is only valuable if members are able to successfully execute on its mandate. Without well-defined processes it becomes nearly impossible for the ISSC to be actionable. As a result, participants lack the information they need to make critical decisions, agendas are unmet, and meetings are seen as a waste of time.

Use these icons to help direct you as you navigate this research

Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Improve Security Governance With a Security Steering Committee – project overview

	1. Define Committee Purpose and Responsibilities	2. Determine Information Flows, Membership & Accountabilities	3. Operate the Information Security Steering Committee
Best-Practice Toolkit	1.1 Tailor Info-Tech’s Information Security Steering Committee Charter Template to define terms of reference for the ISSC 1.2 Conduct a SWOT analysis of your information security governance capabilities 1.3 Identify the responsibilities and duties of the ISSC 1.4 Draft the committee purpose statement of your ISSC	2.1 Define your SIPOC model for each of the ISSC responsibilities 2.2 Identify committee participants and responsibility cadence 2.3 Define ISSC participant RACI for each of the responsibilities	3.1 Define the ISSC meeting agendas and procedures 3.2 Define which metrics you will report to the ISSC 3.3 Hold a kick-off meeting with your ISSC members to explain the process, responsibilities, and goals 3.4 Tailor the Information Security Steering Committee Stakeholder Presentation template 3.5 Present the information to the security leadership team 3.6 Schedule your first meeting of the ISSC
Guided Implementations	Identify the responsibilities and duties of the ISSC. Draft the committee purpose of the ISSC.	Determine SIPOC modeling of information flows. Determine accountabilities and responsibilities.	Set operational standards. Determine effectiveness metrics. Steering committee best practices.
Onsite Workshop	This blueprint can be combined with other content for onsite engagements, but is not a standalone workshop.
	Phase 1 Outcome: Determine the purpose and responsibilities of your information security steering committee.	Phase 2 Outcome: Determine membership, accountabilities, and information flows to enable operational excellence.	Phase 3 Outcome: Define agendas and standard procedures to operate your committee. Design an impactful stakeholder presentation.

Improve Security Governance With a Security Steering Committee

PHASE 1

Define Committee Purpose and Responsibilities

Phase 1: Define Committee Purpose and Responsibilities

ACTIVITIES:

• 1.1 Tailor Info-Tech’s Information Security Steering Committee Charter Template to define terms of reference for the ISSC
• 1.2 Conduct a SWOT analysis of your information security governance capabilities
• 1.3 Identify the responsibilities and duties of the ISSC
• 1.4 Draft the committee purpose statement for your ISSC

OUTCOMES:

• Conduct an analysis of your current information security governance capabilities and identify opportunities and weaknesses.
• Define a clear scope of purpose and responsibilities for your ISSC.
• Begin to customize your ISSC charter.

Info-Tech Insight

Balance vision with direction. Purpose and responsibilities should be defined so that they encompass your mission and objectives to the enterprise in clear terms, but provide enough detail that you can translate the charter into operational plans for the security team.

Tailor Info-Tech’s Information Security Steering Committee Charter Template to define terms of reference for the ISSC

A charter is the organizational mandate that outlines the purpose, scope, and authority of the ISSC. Without a charter, the steering committee’s value, scope, and success criteria are unclear to participants, resulting in unrealistic stakeholder expectations and poor organizational acceptance.

Start by reviewing Info-Tech’s template. Throughout the next two sections we will help you to tailor its contents.

• Committee Purpose: The rationale, benefits of, and overall function of the committee.
• Organization and Membership: Who is on the committee and how is participation measured against organizational need.
• Responsibilities and Duties: What tasks/decisions the accountable committee is making.
• RACI: Who is accountable, responsible, consulted, and informed regarding each responsibility.
• Committee Procedures and Agendas: Includes how the committee will be organized and how the committee will interact and communicate with interested parties.

Download the Information Security Steering Committee Charter to customize your organization’s charter

Conduct a SWOT analysis of your information security governance capabilities

INPUT: Survey outcomes, Governance overview handouts

OUTPUT: SWOT analysis, Top identified challenges and opportunities

1. Hold a meeting with your IT leadership team to conduct a SWOT analysis on your current information security governance capabilities.
2. In small groups, or individually, have each group complete a SWOT analysis for one of the governance areas. For each consider:
   • Strengths: What is currently working well in this area?
   • Weaknesses: What could you improve? What are some of the challenges you’re experiencing?
   • Opportunities: What are some organizational trends that you can leverage? Consider whether your strengths or weaknesses could create opportunities.
   • Threats: What are some key obstacles across people, process, and technology?
3. Have each team or individual rotate until each person has contributed to each SWOT. Add comments from the stakeholder survey to the SWOT.
4. As a group, rank the inputs from each group and highlight the top five challenges and the top five opportunities you see for improvement.

Identify the responsibilities and duties of the ISSC

INPUT: SWOT analysis, Survey reports

OUTPUT: Defined ISSC responsibilities

1. With your security leadership team, review the typical responsibilities of the ISSC on the following slides (also included in the templated text of the charter linked below).
2. Print off the following two slides, and in small teams or individually, identify which responsibilities the ISSC should have in your organization, brainstorm any additional responsibilities, and document reasoning.
3. Have each team present to the larger group, track the similarities and differences between each of the groups, and come to consensus on the list of categories and responsibilities.
4. Complete a sanity check: review your SWOT analysis. Do the responsibilities you’ve identified resolve the critical challenges or weaknesses?
5. As a group, consider the responsibilities and whether you can reasonably implement those in one year or if there are any that will need to wait until year two of the committee.

Add or modify responsibilities in Info-Tech’s Information Security Steering Committee Charter.

Typical ISSC responsibilities and duties

Use the following list of responsibilities to customize the list of responsibilities your ISSC may take on. These should link directly to the Responsibilities and Duties section of your ISSC charter.

Strategic Oversight

• Provide oversight and ensure alignment between information security strategy and company objectives.
• Assess the adequacy of resources and funding to sustain and advance successful security programs and practices for identifying, assessing, and mitigating cybersecurity risks across all business functions.
• Review controls to prevent, detect, and respond to cyber-attacks or information or data breaches involving company electronic information, intellectual property, data, or connected devices.
• Review the company’s cyberinsurance policies to ensure appropriate coverage.
• Provide recommendations, based on security best practices, for significant technology investments.

Policy Governance

• Review company policies pertaining to information security and cyberthreats, taking into account the potential for external threats, internal threats, and threats arising from transactions with trusted third parties and vendors.
• Review privacy and information security policies and standards and the ramifications of updates to policies and standards.
• Establish standards and procedures for escalating significant security incidents to the ISSC, board, other steering committees, government agencies, and law enforcement, as appropriate.

Typical ISSC responsibilities and duties (continued)

Use the following list of responsibilities to customize the list of responsibilities your ISSC may take on. These should link directly to the Responsibilities and Duties section of your ISSC charter.

Risk Governance

• Review and approve the company’s information risk governance structure and key risk management processes and capabilities.
• Assess the company’s high-risk information assets and coordinate planning to address information privacy and security needs.
• Provide input to executive management regarding the enterprise’s information risk appetite and tolerance.
• Review the company’s cyber-response preparedness, incident response plans, and disaster recovery capabilities as applicable to the organization’s information security strategy.
• Promote an open discussion regarding information risk and integrate information risk management into the enterprise’s objectives.

Monitoring & Reporting

• Receive periodic reports and coordinate with management on the metrics used to measure, monitor, and manage cyber and IT risks posed to the company and to review periodic reports on selected risk topics as the Committee deems appropriate.
• Review reports provided by the IT organization regarding the status of and plans for the security of the company’s data stored on internal resources and with third-party providers.
• Monitor and evaluate the quality and effectiveness of the company’s technology security, capabilities for disaster recovery, data protection, cyberthreat detection and cyber incident response, and management of technology-related compliance risks.

Review the organization’s security strategy to solidify understanding of the ISSC’s purpose

The ISSC should consistently evolve to reflect the strategic purpose of the security program. If you completed Info-Tech’s Security Strategy methodology, review the results to inform the scope of your committee. If you have not completed Info-Tech’s methodology, determining these details should be achieved through iterative stakeholder consultations.

Draft the committee purpose statement of your ISSC

INPUT: SWOT Analysis, Security Strategy

OUTPUT: ISSC Committee Purpose

1. In a meeting with your IT leadership team – and considering the organization’s security strategy, defined responsibilities, and opportunities and threats identified – review the example goal statement in the Information Security Steering Committee Charter, and identify whether any of these statements apply to your organization. Select the statements that apply and collaboratively make any changes needed.
2. Define unique goal statements by considering the following questions:
   • What three things would you realistically list for the ISSC to achieve?
   • If you were to accomplish three things in the next year, what would those be?
3. With those goal statements in mind, consider the overall purpose of the committee. The purpose statement should be a reflection of what the committee does, why, and the goals.
4. Have each individual review the example purpose statement and draft what they think a good purpose statement would be.
5. Present each statement, and work together to determine a best-of-breed statement.

Alter the Committee Purpose section in the Information Security Steering Committee Charter.

Redesign Your IT Organizational Structure

Designing an IT structure that will enable your strategic vision is not about an org chart – it’s about how you work.

EXECUTIVE BRIEF

Analyst Perspective

Structure enables strategy.

Allison Straker

Research Director,

Organizational Transformation

Brittany Lutes

Senior Research Analyst,

Organizational Transformation

An organizational structure is much more than a chart with titles and names. It defines the way that the organization operates on a day-to-day basis to enable the successful delivery of the organization’s information and technology objectives. Moreover, organizational design sees beyond the people that might be performing a specific role. People and role titles will and often do change frequently. Those are the dynamic elements of organizational design that allow your organization to scale and meet specific objectives at defined points of time. Capabilities, on the other hand, are focused and related to specific IT processes.

Redesigning an IT organizational structure can be a small or large change transformation for your organization. Create a structure that is equally mindful of the opportunities and the constraints that might exist and ensure it will drive the organization towards its vision with a successful implementation. If everyone understands why the IT organization needs to be structured that way, they are more likely to support and adopt the behaviors required to operate in the new structure.

Executive Summary

Your Challenge

Your organization needs to reorganize itself because:

• The current IT structure does not align to the strategic objectives of the organization.
• There are inefficiencies in how the IT function is currently operating.
• IT employees are unclear about their role and responsibilities, leading to inconsistencies.
• New capabilities or a change in how the capabilities are organized is required to support the transformation.

Common Obstacles

Many organizations struggle when it comes redesigning their IT organizational structure because they:

• Jump right into creating the new organizational chart.
• Do not include the members of the IT leadership team in the changes.
• Do not include the business in the changes.
• Consider the context in which the change will take place and how to enable successful adoption.

Info-Tech’s Approach

Successful IT organization redesign includes:

• Understanding the drivers, context, and strategies that will inform the structure.
• Remaining objective by focusing on capabilities over people or roles.
• Identifying gaps in delivery, sourcing strategies, customers, and degrees of centralization.
• Remembering that organizational design is a change initiative and will require buy-in.

Info-Tech Insight

A successful redesign requires a strong foundation and a plan to ensure successful adoption. Without these, the organizational chart has little meaning or value.

Your challenge

This research is designed to help organizations who are looking to:

• Redesign the IT structure to align to the strategic objectives of the enterprise.
• Increase the effectiveness in how the IT function is operating in the organization.
• Provide clarity to employees around their roles and responsibilities.
• Ensure there is an ability to support new IT capabilities and/or align capabilities to better support the direction of the organization.
• Align the IT organization to support a business transformation such as becoming digitally enabled or engaging in M&A activities.

Organizational design is a challenge for many IT and digital executives

69% of digital executives surveyed indicated challenges related to structure, team silos, business-IT alignment, and required roles when executing on a digital strategy.

Source: MIT Sloan, 2020

Common obstacles

These barriers make IT organizational redesign difficult to address for many organizations:

• Confuse organizational design and organizational charts as the same thing.
• Start with the organizational chart, not taking into consideration the foundational elements that will make that chart successful.
• Fail to treat organizational redesign as a change management initiative and follow through with the change.
• Exclude impacted or influential IT leaders and/or business stakeholders from the redesign process.
• Leverage an operating model because it is trending.

To overcome these barriers:

• Understand the context in which the changes will take place.
• Communicate the changes to those impacted to enable successful adoption and implementation of a new organizational structure.
• Understand that organizational design is for more than just HR leaders now; IT executives should be driving this change.

Succeed in Organizational Redesign

75% The percentage of change efforts that fail.

Source: TLNT, 2019

55% The percentage of practitioners who identify how information flows between work units as a challenge for their organization.

Source: Journal of Organizational Design, 2019

Organizational design defined

If your IT strategy is your map, your IT organizational design represents the optimal path to get there.

IT organizational design refers to the process of aligning the organization’s structure, processes, metrics, and talent to the organization’s strategic plan to drive efficiency and effectiveness.

Understand the organizational differences

Organizational Design

Organizational design the process in which you intentionally align the organizational structure to the strategy. It considers the way in which the organization should operate and purposely aligns to the enterprise vision. This process often considers centralization, sourcing, span of control, specialization, authority, and how those all impact or are impacted by the strategic goals.

Operating Model

Operating models provide an architectural blueprint of how IT capabilities are organized to deliver value. The placement of the capabilities can alter the culture, delivery of the strategic vision, governance model, team focus, role responsibility, and more. Operating model sketches should be foundational to the organizational design process, providing consistency through org chart changes.

Organizational Structure

The organizational structure is the chosen way of aligning the core processes to deliver. This can be strategic, or it can be ad hoc. We recommend you take a strategic approach unless ad hoc aligns to your culture and delivery method. A good organizational structure will include: “someone with authority to make the decisions, a division of labor and a set of rules by which the organization operates” (Bizfluent, 2019).

Organizational Chart

The capstone of this change initiative is an easy-to-read chart that visualizes the roles and reporting structure. Most organizations use this to depict where individuals fit into the organization and if there are vacancies. While this should be informed by the structure it does not necessarily depict workflows that will take place. Moreover, this is the output of the organizational design process.

Sources: Bizfluent, 2019; Strategy & Business, 2015; SHRM, 2021

The Technology Value Trinity

All three elements of the Technology Value Trinity work in harmony to delivery business value and achieve strategic needs. As one changes, the others need to change as well.

How do these three elements relate?

• Digital and IT strategy tells you what you need to achieve to be successful.
• Operating model and organizational design align resources to deliver on your strategy and priorities. This is done by strategically structuring IT capabilities in a way that enables the organizations vision and considers the context in which the structure will operate.
• I&T governance is the confirmation of IT’s goals and strategy, which ensures the alignment of IT and business strategy and is the mechanism by which you continuously prioritize work to ensure that what is delivered is in line with the strategy.

Too often strategy, organizational design, and governance are considered separate practices – strategies are defined without teams and resources to support. Structure must follow strategy.

Info-Tech’s approach to organizational design

Like a story, a strategy without a structure to deliver on it is simply words on paper.

Books begin by setting the foundation of the story.

Introduce your story by:

• Defining the need(s) that are driving this initiative forward.
• Introducing the business context in which the organizational redesign must take place.
• Outlining what’s needed in the redesign to support the organization in reaching its strategic IT goals.

The plot cannot thicken without the foundation. Your organizational structure and chart should not exist without one either.

The steps to establish your organizational chart - with functional teams, reporting structure, roles, and responsibilities defined – cannot occur without a clear definition of goals, need, and context. An organizational chart alone won’t provide the insight required to obtain buy-in or realize the necessary changes.

Conclude your story through change management and communication.

Good stories don’t end without referencing what happened before. Use the literary technique of foreshadowing – your change management must be embedded throughout the organizational redesign process. This will increase the likelihood that the organizational structure can be communicated, implemented, and reinforced by stakeholders.

Info-Tech uses a capability-based approach to help you design your organizational structure

Once your IT strategy is defined, it is critical to identify the capabilities that are required to deliver on those strategic initiatives. Each initiative will require a combination of these capabilities that are only supported through the appropriate organization of roles, skills, and team structures.

Embed change management into organizational design

Change management practices are needed from the onset to ensure the implementation of an organizational structure.

For each phase of this blueprint, its important to consider change management. These are the points when you need to communicate the structure changes:

• Phase 1: Begin to socialize the idea of new organizational structure with executive leadership and explain how it might be impactful to the context of the organization. For example, a new control, governance model, or sourcing approach could be considered.
• Phase 2: The chosen operating model will influence your relationships with the business and can create/eliminate silos. Ensure IT and business leaders have insight into these possible changes and a willingness to move forward.
• Phase 3: The new organizational structure could create or eliminate teams, reduce or increase role responsibilities, and create different reporting structures than before. It’s time to communicate these changes with those most impacted and be able to highlight the positive outcomes of the various changes.
• Phase 4: Should consider the change management practices holistically. This includes the type of change and length of time to reach the end state, communication, addressing active resistors, acquiring the right skills, and measuring the success of the new structure and its adoption.

Info-Tech Insight

Do not undertake an organizational redesign initiative if you will not engage in change management practices that are required to ensure its successful adoption.

Measure the value of the IT organizational redesign

Given that the organizational redesign is intended to align with the overall vision and objectives of the business, many of the metrics that support its success will be tied to the business. Adapt the key performance indicators (KPIs) that the business is using to track its success and demonstrate how IT can enable the business and improve its ability to reach those targets.

Strategic Resources

The percentage of resources dedicated to strategic priorities and initiatives supported by IT operating model. While operational resources are necessary, ensuring people are allocating time to strategic initiatives as well will drive the business towards its goal state. Leverage Info-Tech’s IT Staffing Assessment diagnostic to benchmark your IT resource allocation.

Business Satisfaction

Assess the improvement in business satisfaction overall with IT year over year to ensure the new structure continues to drive satisfaction across all business functions. Leverage Info-Tech’s CIO Business Vision diagnostic to see how your IT organization is perceived.

Role Clarity

The degree of clarity that IT employees have around their role and its core responsibilities can lead to employee engagement and retention. Consider measuring this core job driver by leveraging Info-Tech’s Employee Engagement Program.

Customer & User Satisfaction

Measure customer satisfaction with technology-enabled business services or products and improvements in technology-enabled client acquisition or retention processes. Assess the percentage of users satisfied with the quality of IT service delivery and leverage Info-Tech’s End-User Satisfaction Survey to determine improvements.

Info-Tech’s methodology for Redesigning Your IT Organization

Insight summary

Overarching insight

Organizational redesign processes focus on defining the ways in which you want to operate and deliver on your strategy – something an organizational chart will never be able to convey.

Phase 1 insight

Focus on your organization, not someone else's’. Benchmarking your organizational redesign to other organizations will not work. Other organizations have different strategies, drivers, and context.

Phase 2 insight

An operating model sketch that is customized to your organization’s specific situation and objectives will significantly increase the chances of creating a purposeful organizational structure.

Phase 3 insight

If you follow the steps outlined in the first three phases, creating your new organizational chart should be one of the fastest activities.

Phase 4 insight

Throughout the creation of a new organizational design structure, it is critical to involve the individuals and teams that will be impacted.

Tactical insight

You could have the best IT employees in the world, but if they aren’t structured well your organization will still fail in reaching its vision.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Communication Deck

Communicate the changes to other key stakeholders such as peers, managers, and staff.

Workbook

As you work through each of the activities, use this workbook as a place to document decisions and rationale.

Reference Deck

Definitions for every capability, base operating model sketches, and sample organizational charts aligned to those operating models.

Job Descriptions

Key deliverable:

Executive Presentation

Leverage this presentation deck to gain executive buy-in for your new organizational structure.

Blueprint benefits

IT Benefits

• Create an organizational structure that aligns to the strategic goals of IT and the business.
• Provide IT employees with clarity on their roles and responsibilities to ensure the successful delivery of IT capabilities.
• Highlight and sufficiently staff IT capabilities that are critical to the organization.
• Define a sourcing strategy for IT capabilities.
• Increase employee morale and empowerment.

Business Benefits

• IT can carry out the organization’s strategic mission and vision of all technical and digital initiatives.
• Business has clarity on who and where to direct concerns or questions.
• Reduce the likelihood of turnover costs as IT employees understand their roles and its importance.
• Create a method to communicate how the organizational structure aligns with the strategic initiatives of IT.
• Increase ability to innovate the organization.

Executive Brief Case Study

IT design needs to support organizational and business objectives, not just IT needs.

INDUSTRY: Government

SOURCE: Analyst Interviews and Working Sessions

Situation

IT was tasked with providing equality to the different business functions through the delivery of shared IT services. The government created a new IT organizational structure with a focus on two areas in particular: strategic and operational support capabilities.

Challenge

When creating the new IT structure, an understanding of the complex and differing needs of the business functions was not reflected in the shared services model.

Outcome

As a result, the new organizational structure for IT did not ensure adequate meeting of business needs. Only the operational support structure was successfully adopted by the organization as it aligned to the individual business objectives. The strategic capabilities aspect was not aligned to how the various business lines viewed themselves and their objectives, causing some partners to feel neglected.

Info-Tech offers various levels of support to best suit your needs.

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is 8 to 12 calls over the course of 4 to 6 months.

Phase 1

Call #1: Define the process, understand the need, and create a plan of action.

Phase 2

Call #2: Define org. design drivers and business context.

Call #3: Understand strategic influences and create customized design principles.

Call #4: Customize, analyze gaps, and define sourcing strategy for IT capabilities.

Call #5: Select and customize the IT operating model sketch.

Phase 3

Call #6: Establish functional work units and their mandates.

Call #7: Translate the functional organizational chart to an operational organizational chart with defined roles.

Phase 4

Call #8: Consider risks and mitigation tactics associated with the new structure and select a transition plan.

Call #9: Create your change message, FAQs, and metrics to support the implementation plan.

Workshop Overview

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

This blueprint is part one of a three-phase approach to organizational transformation

Risk Management: Create, implement, and monitor risk management plan.

HR Management: Develop job descriptions, conduct job evaluation, and develop compensation packages.

Monitor and Sustain Stakeholder Engagement

Phase 1

Establish the Organizational Redesign Foundation

This phase will walk you through the following activities:

1.1 Define the organizational redesign driver(s)

1.2 Create design principles based on the business context

1.3a (Optional Exercise) Identify the capabilities from your value stream

1.3b Identify the capabilities required to deliver on your strategies

1.4 Finalize your list of design principles

This phase involves the following participants:

• CIO
• IT Leadership
• Business Leadership

Embed change management into the organizational design process

Articulate the Why

Changes are most successful when leaders clearly articulate the reason for the change – the rationale for the organizational redesign of the IT function. Providing both staff and executive leaders with an understanding for this change is imperative to its success. Despite the potential benefits to a redesign, they can be disruptive. If you are unable to answer the reason why, a redesign might not be the right initiative for your organization.

Employees who understand the rationale behind decisions made by executive leaders are 3.6 times more likely to be engaged.

McLean & Company Engagement Survey Database, 2021; N=123,188

Info-Tech Insight

Successful adoption of the new organizational design requires change management from the beginning. Start considering how you will convey the need for organizational change within your IT organization.

The foundation of your organizational design brings together drivers, context, and strategic implications

All aspects of your IT organization’s structure should be designed with the business’ context and strategic direction in mind.

Use the following set of slides to extract the key components of your drivers, business context, and strategic direction to land on a future structure that aligns with the larger strategic direction.

REDESIGN DRIVERS

Driver(s) can originate from within the IT organization or externally. Ensuring the driver(s) are easy to understand and articulate will increase the successful adoption of the new organizational structure.

BUSINESS CONTEXT

Defines the interactions that occur throughout the organization and between the organization and external stakeholders. The context provides insight into the environment by both defining the purpose of the organization and the values that frame how it operates.

STRATEGY IMPLICATIONS

The IT strategy should be aligned to the overall business strategy, providing insight into the types of capabilities required to deliver on key IT initiatives.

Understand IT’s desired maturity level, alignment with business expectations, and capabilities of IT

Where are we today?

Determine the current overall maturity level of the IT organization.

Where do we want to be as an organization?

Use the inputs from Info-Tech’s diagnostic data to determine where the organization should be after its reorganization.

How can you leverage these results?

The result of these diagnostics will inform the design principles that you’ll create in this phase.

Leverage Info-Tech’s diagnostics to provide an understanding of critical areas your redesign can support:

CIO Business Vision Diagnostic

Management & Governance Diagnostic

IT Staffing Diagnostic

Consider the organizational design drivers

Consider organizational redesign if …

Effectiveness is a concern:

• Insufficient resources to meet demand
• Misalignment to IT (and business) strategies
• Lack of clarity around role responsibility or accountability
• IT functions operating in silos

New capabilities are needed:

• Organization is taking on new capabilities (digital, transformation, M&A)
• Limited innovation
• Gaps in the capabilities/services of IT
• Other external environmental influences or changes in strategic direction

Lack of business understanding

• Misalignment between business and IT or how the organization does business
• Unhappy customers (internal or external)

Workforce challenges

• Frequent turnover or inability to attract new skills
• Low morale or employee empowerment

These are not good enough reasons …

• New IT leader looking to make a change for the sake of change or looking to make their legacy known
• To work with specific/hand-picked leaders over others
• To “shake things up” to see what happens
• To force the organization to see IT differently

Info-Tech Insight

Avoid change for change’s sake. Restructuring could completely miss the root cause of the problem and merely create a series of new ones.

1.1 Define the organizational redesign driver(s)

1-2 hours

1. As a group, brainstorm a list of current pain points or inhibitors in the current organizational structure, along with a set of opportunities that can be realized during your restructuring. Group these pain points and opportunities into themes.
2. Leverage the pain points and opportunities to help further define why this initiative is something you’re driving towards. Consider how you would justify this initiative to different stakeholders in the organization.
3. Questions to consider:
1. Who is asking for this initiative?
2. What are the primary benefits this is intended to produce?
3. What are you optimizing for?
4. What are we capable of achieving as an IT organization?
5. Are the drivers coming from inside or outside the IT organization?
4. Once you’ve determined the drivers for redesigning the IT organization, prioritize those drivers to ensure there is clarity when communicating why this is something you are focusing time and effort on.

Record the results in the Organizational Design Communications Deck

Frame the organizational design within the context of the business

Workforce Considerations:

• How does your organization view its people resources? Does it have the capacity to increase the number of resources?
• Do you currently have sufficient staff to meet the demands of the organization? Are you able to outsource resources when demand requires it?
• Are the members of your IT organization unionized?
• Is your workforce distributed? Do time zones impact how your team can collaborate?

Business context considerations

Business context considerations

Business context considerations

Business context considerations

Business context considerations

1.2 Create design principles based on the business context

1-3 hours

1. Discuss the business context in which the IT organizational redesign will be taking place. Consider the following standard components of the business context; include other relevant components specific to your organization:

• Culture
• Workforce Considerations
• Control and Governance
• Financial Constraints
• Business Perspective of IT
• Business Organization Structure and Growth
• Sourcing Strategy
• Change Tolerance
• Stakeholder Engagement and Focus
• Business Vision, Services, and Products

Record the results in the Organizational Design Communications Deck

How your IT organization is structured needs to reflect what it must be built to do

Structure follows strategy – the way you design will impact what your organization can produce.

Designing your IT organization requires an assessment of what it needs to be built to do:

• What are the most critical capabilities that you need to deliver, and what does success look like in those different areas?
• What are the most important things that you deliver overall in your organization?

The IT organization must reflect your business needs:

• Understand your value stream and/or your prioritized business goals.
• Understand the impact of your strategies – these can include your overall digital strategy and/or your IT strategy

1.3a (Optional Exercise) Identify the capabilities from your value stream

1 hour

1. Identify your organization’s value stream – what your overall organization needs to do from supplier to consumer to provide value. Leverage Info-Tech’s industry reference architectures if you haven’t identified your value stream, or use the Document Your Business Architecture blueprint to create yours.
2. For each item in your value stream, list capabilities that are critical to your organizational strategy and IT needs to further invest in to enable growth.
3. Also, list those that need further support, e.g. those that lead to long wait times, rework time, re-tooling, down-time, unnecessary processes, unvaluable processes.*
4. Capture the IT capabilities required to enable your business in your draft principles.

Source: Six Sigma Study Guide, 2014

Record the results in the Organizational Design Communications Deck

Your strategy will help you decide on your structure

Ensure that you have a clear view of the goals and initiatives that are needed in your organization. Your IT, digital, business, and/or other strategies will surface the IT capabilities your organization needs to develop. Identify the goals of your organization and the initiatives that are required to deliver on them. What capabilities are required to enable these? These capabilities will need to be reflected in your design principles.

Sample initiatives and capabilities from an organization’s strategies

1.3b Identify the capabilities required to deliver on your strategies

1 hour

1. For each IT goal, there may be one or more initiatives that your organization will need to complete in order to be successful.
2. Document those goals and infinitives. For each initiative, consider which core IT capabilities will be required to deliver on that goal. There might be one IT capability or there might be several.
3. Identify which capabilities are being repeated across the different initiatives. Consider whether you are currently investing in those capabilities in your current organizational structure.
4. Highlight the capabilities that require IT investment in your design principles.

Record the results in the Organizational Design Communications Deck

Create your organizational design principles

Your organizational design principles should define a set of loose rules that can be used to design your organizational structure to the specific needs of the work that needs to be done. These rules will guide you through the selection of the appropriate operating model that will meet your business needs. There are multiple ways you can hypothetically organize yourself to meet these needs, and the design principles will point you in the direction of which solution is the most appropriate as well as explain to your stakeholders the rationale behind organizing in a specific way. This foundational step is critical: one of the key reasons for organizational design failure is a lack of requisite time spent on the front-end understanding what is the best fit.

1.4 Finalize your list of design principles

1-3 hours

1. As a group, review the key outputs from your data collection exercises and their implications.
2. Consider each of the previous exercises – where does your organization stand from a maturity perspective, what is driving the redesign, what is the business context, and what are the key IT capabilities requiring support. Identify how each will have an implication on your organizational redesign. Leverage this conversation to generate design principles.
3. Vote on a finalized list of eight to ten design principles that will guide the selection of your operating model. Have everyone leave the meeting with these design principles so they can review them in more detail with their work units or functional areas and elicit any necessary feedback.
4. Reconvene the group that was originally gathered to create the list of design principles and make any final amendments to the list as necessary. Use this opportunity to define exactly what each design principle means in the context of your organization so everyone has the same understanding of what this means moving forward.

Record the results in the Organizational Design Communications Deck

Example design principles

Your eight to ten design principles will be those that are most relevant to YOUR organization. Below are samples that other organizations have created, but yours will not be the same.

Phase 2

Create the Operating Model Sketch

This phase will walk you through the following activities:

2.1 Augment the capability list

2.2 Heatmap capabilities to determine gaps in service

2.3 Identify the target state of sourcing for your IT capabilities

2.4 Review and select a base operating model sketch

2.5 Customize the selected overlay to reflect the desired future state

This phase involves the following participants:

• CIO
• IT Leadership

Embed change management into the organizational design process

Gain Buy-In

Obtain desire from stakeholders to move forward with organizational redesign initiative by involving them in the process to gain interest. This will provide the stakeholders with assurance that their concerns are being heard and will help them to understand the benefits that can be anticipated from the new organizational structure.

“You’re more likely to get buy-in if you have good reason for the proposed changes – and the key is to emphasize the benefits of an organizational redesign.”

Source: Lucid Chart

Info-Tech Insight

Just because people are aware does not mean they agree. Help different stakeholders understand how the change in the organizational structure is a benefit by specifically stating the benefit to them.

Info-Tech uses capabilities in your organizational design

We differentiate between capabilities and competencies.

Capabilities

• Capabilities are focused on the entire system that would be in place to satisfy a particular need. This includes the people who are competent to complete a specific task and also the technology, processes, and resources to deliver.
• Capabilities work in a systematic way to deliver on specific need(s).
• A functional area is often made up of one or more capabilities that support its ability to deliver on that function.
• Focusing on capabilities rather then the individuals in organizational redesign enables a more objective and holistic view of what your organization is striving toward.

Competencies

• Competencies on the other hand are specific to an individual. It determines if the individual poses the skills or ability to perform.
• Competencies are rooted in the term competent, which looks to understand if you are proficient enough to complete the specific task at hand.

Source: The People Development Magazine, 2020

Use our IT capabilities to establish your IT organization design

2.1 Augment the capability list

1-3 hours

1. Using the capability list on the previous slide, go through each of the IT capabilities and remove any capabilities for which your IT organization is not responsible and/or accountable. Refer to the Operating Model and Capability Definition List for descriptions of each of the IT capabilities.
2. Augment the language of specific capabilities that you feel are not directly reflective of what is being done within your organizational context or that you feel need to be changed to reflect more specifically how work is being done in your organization.

• For example, some organizations may refer to their service desk capability as help desk or regional support. Use a descriptive term that most accurately reflects the terminology used inside the organization today.

• For example, organizations that leverage DevOps capabilities for their product development may desire to designate this in their operating model.

Record the results in the Organizational Design Workbook

Gaps in delivery

Identify areas that require greater focus and attention.

Assess the gaps between where you currently are and where you need to be. Evaluate how critical and how effective your capabilities are:

• Criticality = Importance
• Try to focus on those which are highly critical to the organization.
• These may be capabilities that have been identified in your strategies as areas to focus on.
• Effectiveness = Performance
• Identify those where the process or system is broken or ineffective, preventing the team from delivering on the capability.
• Effectiveness could take into consideration how scalable, adaptable, or sustainable each capability is.
• Focus on the capabilities that are low or medium in effectiveness but highly critical. Addressing the delivery of these capabilities will lead to the most positive outcomes in your organization.

Remember to identify what allows the highly effective capabilities to perform at the capacity they are. Leverage this when increasing effectiveness elsewhere.

High Gap

There is little to no effectiveness (high gap) and the capability is highly important to your organization.

Medium Gap

Current ability is medium in effectiveness (medium gap) and there might be some priority for that capability in your organization.

Low Gap

Current ability is highly effective (low gap) and the capability is not necessarily a priority for your organization.

2.2 Heatmap capabilities to determine gaps in delivery

1-3 hours

1. At this point, you should have identified what capabilities you need to have to deliver on your organization's goals and initiatives.
2. Convene a group of the key stakeholders involved in the IT organizational design initiative.
3. Review your IT capabilities and color each capability border according to the effectiveness and criticality of that capability, creating a heat map.

• Green indicates current ability is highly effective (low gap) and the capability is not necessarily a priority for your organization.
• Yellow indicates current ability is medium in effectiveness (medium gap) and there might be some priority for that capability in your organization.
• Red indicates that there is little to no effectiveness (high gap) and the capability is highly important to your organization.

Record the results in the Organizational Design Workbook

Don’t forget the why: why are you considering outsourcing?

There are a few different “types” of outsourcing:

1. Competitive Advantage – Working with a third-party organization for the knowledge, insights, and best practices they can bring to your organization.
2. Managed Service– The third party manages a capability or function for your organization.
3. Staff Augmentation – Your organization brings in contractors and third-party organizations to fill specific skills gaps.

Weigh which sourcing model(s) will best align with the needed capabilities to deliver effectively

Your strategy for outsourcing will vary with capability and capacity

Use these criteria to inform your right sourcing strategy

2.3 Identify capabilities that could be outsourced

1-3 hours

1. For each of the capabilities that will be in your future-state operating model, determine if it could be outsourced. Review the sourcing criteria available on the previous slide to help inform which sourcing strategy you will use for each capability.
2. When looking to outsource or co-source capabilities, consider why that capability would be outsourced:

• Competitive Advantage – Work with a third-party organization for the knowledge, insights, and best practices they can bring to your organization.
• Managed Service – The third party manages a capability or function for your organization.
• Staff Augmentation – Your organization brings in contractors and third-party organizations to fill specific skills gaps.

Record the results in the Organizational Design Workbook

What is an operating model?

Leverage a cohesive operating model throughout the organizational design process.

An IT operating model sketch is a visual representation of the way your IT organization needs to be designed and the capabilities it requires to deliver on the business mission, strategic objectives, and technological ambitions. It ensures consistency of all elements in the organizational structure through a clear and coherent blueprint.

The visual should be the optimization and alignment of the IT organization’s structure to deliver the capabilities required to achieve business goals. Additionally, it should clearly show the flow of work so that key stakeholders can understand where inputs flow in and outputs flow out of the IT organization. Investing time in the front end getting the operating model right is critical. This will give you a framework to rationalize future organizational changes, allowing you to be more iterative and your model to change as the business changes.

Info-Tech Insight

Every structure decision you make should be based on an identified need, not on a trend.Build your IT organization to enable the priorities of the organization.

Each IT operating model is characterized by a variety of advantages and disadvantages

Decentralization can take many forms – define what it means to your organization

Decentralization can take a number of different forms depending on the products the organization supports and how the organization is geographically distributed. Use the following set of explanations to understand the different types of decentralization possible and when they may make sense for supporting your organizational objectives.

Line of Business

Decentralization by lines of business (LoB) aligns decision making with business operating units based on related functions or value streams. Localized priorities focus the decision making from the CIO or IT leadership team. This form of decentralization is beneficial in settings where each line of business has a unique set of products or services that require specific expertise or flexible resourcing staffing between the teams.

Product Line

Decentralization by product line organizes your team into operationally aligned product families to improve delivery throughput, quality, and resource flexibility within the family. By adopting this approach, you create stable product teams with the right balance between flexibility and resource sharing. This reinforces value delivery and alignment to enterprise goals within the product lines.

Geographical

Geographical decentralization reflects a shift from centralized to regional influences. When teams are in different locations, they can experience a number of roadblocks to effective communication (e.g. time zones, regulatory differences in different countries) that may necessitate separating those groups in the organizational structure, so they have the autonomy needed to make critical decisions.

Functional

Functional decentralization allows the IT organization to be separated by specialty areas. Organizations structured by functional specialization can often be organized into shared service teams or centers of excellence whereby people are grouped based on their technical, domain, or functional area within IT (Applications, Data, Infrastructure, Security, etc.). This allows people to develop specialized knowledge and skills but can also reinforce silos between teams.

2.4 Review and select a base operating model sketch

1 hour

1. Review the set of base operating model sketches available on the following slides.
2. For each operating model sketch, there are benefits and risks to be considered. Make an informed selection by understanding the risks that your organization might be taking on by adopting that particular operating model.
3. If at any point in the selection process the group is unsure about which operating model will be the right fit, refer back to your design principles established in activity 1.4. These should guide you in the selection of the right operating model and eliminate those which will not serve the organization.

Record the results in the Organizational Design Workbook

Centralized Operating Model #1: Plan-Build-Run

I want to…

• Establish a formalized governance process that takes direction from the organization on which initiatives should be prioritized by IT.
• Ensure there is a clear separation between teams that are involved in strategic planning, building solutions, and delivering operational support.
• Be able to plan long term by understanding the initiatives that are coming down the pipeline and aligning to an infrequent budgeting plan.

BENEFITS

• Effective at implementing long-term plans efficiently; separates maintenance and projects to allow each to have the appropriate focus.
• More oversight over financials; better suited for fixed budgets.
• Works across centralized technology domains to better align with the business’ strategic objectives – allows for a top-down approach to decision making.
• Allows for economies of scale and expertise pooling to improve IT’s efficiency.
• Well-suited for a project-driven environment that employs waterfall or a hybrid project management methodology that is less iterative.

RISKS

• Creates artificial silos between the build (developers) and run (operations staff) teams, as both teams focus on their own responsibilities and often fail to see the bigger picture.
• Miss opportunities to deliver value to the organization or innovate due to an inability to support unpredictable/shifting project demands as decision making is centralized in the plan function.
• The portfolio of initiatives being pursued is often determined before requirements analysis takes place, meaning the initiative might be solving the wrong need or problem.
• Depends on strong hand-off processes to be defined and strong knowledge transfer from build to run functions in order to be successful.

Centralized Operating Model #2: Demand-Develop-Service

I want to…

• Listen to the business to understand new initiatives or service enhancements being requested.
• Enable development and operations to work together to seamlessly deliver in a DevOps culture.
• Govern and confirm that initiatives being requested by the business are still aligned to IT’s overarching strategy and roadmap before prioritizing those initiatives.

BENEFITS

• Aligns well with an end-to-end services model; constant attention to customer demand and service supply.
• Centralizes service operations under one functional area to serve shared needs across lines of business.
• Allows for economies of scale and expertise pooling to improve IT’s efficiency.
• Elevates sourcing and vendor management as its own strategic function; lends well to managed service and digital initiatives.
• Development and operations housed together; lends well to DevOps-related initiatives and reduces the silos between these two core groups.

RISKS

• IT prioritizes the initiatives it thinks are a priority to the business based on how well it establishes good stakeholder relations and communications.
• Depends on good governance to prevent enhancements and demands from being prioritized without approval from those with accountability and authority.
• This model thrives in a DevOps culture but does not mean it ensures your organization is a “DevOps” organization. Be sure you're encouraging the right behaviors and attitudes.

Hybrid Operating Model #1: LOB/Functional Aligned

I want to…

• Better understand the various needs of the organization to align IT priorities and ensure the right services can be delivered.
• Keep all IT decisions centralized to ensure they align with the overarching strategy and roadmap that IT has set.
• Organize your shared services in a strategic manner that enables delivery of those services in a way that fits the culture of the organization and the desired method of operating.