Define a Sourcing Strategy for Your Development Team

Choose the right resourcing strategy to keep pace with your rapidly changing application and development needs.

Analyst Perspective

Choosing the right sourcing strategy for your development team is about assessing your technical situation, your business needs, your organizational culture, and your ability to manage partners!

Firms today are under continuous pressure to innovate and deliver new features to market faster while at the same time controlling costs. This has increased the need for higher throughput in their development teams along with a broadening of skills and knowledge. In the face of these challenges, there is a new focus on how firms source their development function. Should they continue to hire internally, offshore, or outsource? How do they decide which strategy is the right fit?

Info-Tech’s research shows that the sourcing strategy considerations have evolved beyond technical skills and costs. Identifying the right strategy has become a function of the characteristics of the organization, its culture, its reliance on the business for knowledge, its strategic value of the application, its vendor management skills, and its ability to internalize external knowledge. By assessing these factors firms can identify the best sourcing mix for their development portfolios.

Dr. Suneel Ghei
Principal Research Director, Application Development
Info-Tech Research Group

Executive Summary

Info-Tech Insight

Choosing the right sourcing strategy is not just a question of technical skills! Successful sourcing is based on matching your organization’s culture, knowledge, and experiences to the right choice of internal or external partnership.

Define a sourcing strategy for your development team

Business Business knowledge/ expertise required Product owner maturity Technical Complexity and maturity of technical environment Required level of integration Organizational Company culture Desired geographic proximity Required vendor management skills	Assess your current delivery posture for challenges and impediments. Decide whether to build or buy a solution. Select your desired sourcing strategy based on your current state and needs.
Three Perspectives +	Three Steps =	Your Sourcing Strategy

Diverse sourcing is used by many firms

Internal sourcing models

Insourcing comes in three distinct flavors

Info-Tech Insight

Insourcing allows you to stay close to more strategic applications. But choosing the right model requires a strong look inside your organization and your ability to provide business knowledge support to developers who may have different skills and cultures and are in different geographies.

Outsourcing models

External sourcing can be done to different degrees

Info-Tech Insight

Outsourcing represents one of the most popular ways for organizations to source external knowledge and skills. The choice of model is a function of the organization’s ability to support the external resources and to absorb the knowledge back into the organization.

Defining your sourcing strategy

Follow the steps below to identify the best match for your organization

Review Your Current Situation Review the issues and opportunities related to application development and categorize them based on the key factors.

Assess Build Versus Buy Before choosing a sourcing model you must assess whether a particular product or function should be bought as a package or developed.

Choose the Right Sourcing Strategy Based on the research, use the modeling tool to match the situation to the appropriate sourcing solution.

Step 1.1

Review Your Current Situation

Activities

• 1.1.1 Identify and categorize your challenges

This step involves the following participants:

• Product management team
• Software development leadership team
• Key stakeholders

Review your current delivery posture for challenges and impediments.

Review your situation

There are three key areas to examine in your current situation:

Business Challenges Do you need to gain new knowledge to drive innovation? Does your business need to enhance its software to improve its ability to compete in the market? Do you need to increase your speed of innovation? Technology Challenges Are you being asked to take tighter control of your development budgets? Does your team need to expand their skills and knowledge? Do you need to increase your development speed and capacity? Market Challenges Is your competition seen as more innovative? Do you need new features to attract new clients? Are you struggling to find highly skilled and knowledgeable development resources?

Info-Tech Insight Sourcing is a key tool to solve business and technical challenges and enhance market competitiveness when coupled with a robust definition of objectives and a way to measure success.

1.1.1 Identify and categorize your challenges

Output: List of the key challenges in your software lifecycle. Breakdown of the list into categories to identify opportunities for sourcing

Participants: Product management team, Software development leadership team, Key stakeholders

1. What challenge is your firm is facing with respect to your software that you think sourcing can address? (20 minutes)
2. Is the challenge related to a business outcome, development methodology, or technology challenge? (10 minutes)
3. Is the challenge due to a skills gap, budget or resource challenge, throughput issue, or a broader organizational knowledge or process issue? (10 minutes)
4. What is the specific objective for the team/leader in addressing this challenge? (15 minutes)
5. How will you measure progress and achievement of this objective? (5 minutes)

Document results in the Define a Sourcing Strategy Workbook

Identify and categorize your challenges

Step 1.2

Assess Build Versus Buy

Activities

• 1.2.1 Understand the benefits and drawbacks of build versus buy in your organizational context

This step involves the following participants:

• Product management team
• Software development leadership team
• Key stakeholders

Outcomes of this step

Understand in your context the benefits and drawbacks of build versus buy, leveraging Info-Tech’s recommended definitions as a starting point.

Define a Sourcing Strategy for Your Development Team

Look vertically across the IT hierarchy to assess the impact of your decision at every level

Regardless of the industry, a common and challenging dilemma facing technology teams is to determine when they should build software or systems in-house versus when they should rely wholly on an outside vendor for delivering on their technology needs. The answer is not as cut and dried as one would expect. Any build versus buy decision may have an impact on strategic and operational plans. It touches every part of the organization, starting with individual projects and rolling up to the enterprise strategy.

Info-Tech Insight

Do not ignore the impact of a build or buy decision on the various management levels in an IT organization.

Deciding whether to build or buy

It is as much about what you gain as it is about what problem you choose to have

1.2.1 Understand the benefits and drawbacks of build versus buy in your organizational context

30 minutes

Output: A common understanding of the different approaches to build versus buy applied to your organizational context

Participants: Product management team, Software development leadership team, Key stakeholders

1. Look at the previous slide, Deciding whether to build or buy.
2. Discuss the pros and cons listed for each approach.
   1. Do they apply in your context? Why or why not?
   2. Are there some approaches not applicable in terms of how you wish to work?
3. Record the curated list of pros and cons for the different build/buy approaches.
4. For each approach, arrange the pros and cons in order of importance.

Document results in the Define a Sourcing Strategy Workbook

Step 1.3

Choose the Right Sourcing Strategy

Activities

• 1.3.1 Determine the right sourcing strategy for your needs

This step involves the following participants:

• Product management team
• Software development leadership team
• Key stakeholders

Outcomes of this step

Choose your desired sourcing strategy based on your current state and needs.

Define a Sourcing Strategy for Your Development Team

Choose the right sourcing strategy

Business drivers

To choose the right sourcing strategy, you need to assess your key drivers of delivery

Product Knowledge The level of business involvement required to support the development team is a critical factor in determining the sourcing model. Both the breadth and depth of involvement are critical factors. Strategic Value The strategic value of the application to the company is also a critical component. The more strategic the application is to the company, the closer the sourcing should be maintained. Value can be assessed based on the revenue derived from the application and the depth of use of the application by the organization. Product Ownership Maturity To support sourcing models that move further from organizational boundaries a strong product ownership function is required. Product owners should ideally be fully allocated to the role and engaged with the development teams. Product owners should be empowered to make decisions related to the product, its vision, and its roadmap. The higher their allocation and empowerment, the higher the chances of success in external sourcing engagements.

Case Study: The GoodLabs Studio Experience

INDUSTRY: Software Development | SOURCE: Interview with Thomas Lo, Co-Founder, GoodLabs Studio

Organizational drivers

To choose the right sourcing strategy for a particular problem you need to assess the organization’s key capabilities

Vendor Management Vendor management is a critical skill for effective external sourcing. This can be assessed based on the organization’s ability to cultivate and grow long-term relationships of mutual value. The longevity and growth of existing vendor relationships can be a good benchmark for future success. Absorptive Capacity To effectively make use of external sourcing models, the organization must have a well-developed track record of absorbing outside knowledge. This can be assessed by looking at past cases where external knowledge was sourced and internalized, such as past vendor development engagements or use of open-source code. Organizational Culture Another factor in success of vendor engagements and long-term relationships is the matching of organizational cultures. It is key to measure the organization’s current position on items like communication strategy, geographical dispersal, conflict resolution strategy, and hierarchical vs flat management. These factors should be documented and matched with partners to determine the best fit.

Case Study: WCIRB California

INDUSTRY: Workers Compensation Insurance | SOURCE: Interview with Roger Cottman, Senior VP and CIO, WCIRB California

Technical drivers

To choose the right sourcing strategy for a particular problem you need to assess your technical situation and capabilities

Environment Complexity The complexity of your technical environment is a hurdle that must be overcome for external sourcing models. The number of environments used in the development lifecycle and the location of environments (physical, virtual, on-premises, or cloud) are key indicators. Integration Requirements The complexity of integration is another key technical driver. The number of integrations required for the application is a good measuring stick. Will it require fewer than 5, 5-10, or more than 10? Testing Capabilities Testing of the application is a key technical driver of success for external models. Having well-defined test cases, processes, and shared execution with the business are all steps that help drive success of external sourcing models. Test automation can also help facilitate success of external models. Measure the percentage of test cases that are standardized, the level of business involvement, and the percentage of test cases that are automated.

Case Study: Management Control Systems (MC Systems)

INDUSTRY: Technology Services | SOURCE: Interview with Kathryn Chin See, Business Development and Research Analyst, MC Systems

1.3.1 Determine the right sourcing strategy for your needs

60 minutes

Output: A scored matrix of the key drivers of the sourcing strategy

Participants: Development leaders, Product management team, Key stakeholders

Choose one of your products or product families and assess the factors below on a scale of None, Low, Medium, High, and Full.

• 3.1 Assess the business factors that drive selection using these key criteria (20 minutes):
  • 3.1.1 Product knowledge
  • 3.1.2 Strategic value
  • 3.1.3 Product ownership
• 3.2 Assess the organizational factors that drive selection using these key criteria (20 minutes):
  • 3.2.1 Vendor management
  • 3.2.2 Absorptive capacity
  • 3.2.3 Organization culture
• 3.3 Assess the technical factors that drive selection using these key criteria (20 minutes):
  • 3.3.1 Environments
  • 3.3.2 Integration
  • 3.3.3 Testing

Document results in the Define a Sourcing Strategy Workbook

Things to Consider When Implementing

Once you have built your strategy there are some additional things to consider

Things to Consider Before Acting on Your Strategy

By now you understand what goes into an effective sourcing strategy. Before implementing one, there are a few key items you need to consider:

Start with a pilot Changing sourcing needs to start with one team. Grow as skills develop to limit risk. Build an IT workforce plan Build an integrated workforce plan for the organization. Refer to our research: Build a Strategic IT Workforce Plan. Enhance your vendor management skills Refer to our research: Manage Your Vendor Before They Manage You. Involve the business early and often The business should feel they are part of the discussion. See our Agile/DevOps Research Center for more information on how the business and IT can better work together. Limit sourcing complexity Having too many different partners and models creates confusion and will strain your ability to manage vendors effectively.

Bibliography

Apfel, Isabella, et al. “IT Project Member Turnover and Outsourcing Relationship Success: An Inverted-U Effect.” Developments, Opportunities and Challenges of Digitization, 2020. Web.

Benamati, John, and Rajkumar, T.M. “The Application Development Outsourcing Decision: An Application of the Technology Acceptance Model.” Journal of Computer Information Systems, vol. 42, no. 4, 2008, pp. 35-43. Web.

Benamati, John, and Rajkumar, T.M. “An Outsourcing Acceptance Model: An Application of TAM to Application Development Outsourcing Decisions.” Information Resources Management Journal, vol. 21, no. 2, pp. 80-102, 2008. Web.

Broekhuizen, T. L. J., et al. “Digital Platform Openness: Drivers, Dimensions and Outcomes.” Journal of Business Research, vol. 122, July 2019, pp. 902-914. Web.

Brook, Jacques W., and Albert Plugge. “Strategic Sourcing of R&D: The Determinants of Success.” Business Information Processing, vol. 55, Aug. 2010, pp. 26-42. Web.

Delen, G. P A.J., et al. “Foundations for Measuring IT-Outsourcing Success and Failure.” Journal of Systems and Software, vol. 156, Oct. 2019, pp. 113-125. Web.

Elnakeep, Eman, et al. “Models and Frameworks for IS Outsourcing Structure and Dimensions: A Holistic Study.” Lecture notes in Networks and Systems, 2019. Web.

Ghei, Suneel. Modeling Absorptive Capacity for Open Innovation in the Software Industry. 2020. Faculty of Graduate Studies, Athabasca University, 2020. DBA Dissertation.

“IT Outsourcing Market Research Report by Service Model, Organization Sizes, Deployment, Industry, Region – Global Forecast to 2027 – Cumulative Impact of COVID-19.” ReportLinker, April 2022. Web.

Jeong, Jongkil Jay, et al. “Enhancing the Application and Measurement of Relationship Quality in Future IT Outsourcing Studies.” 26th European Conference on Information Systems: Beyond Digitization – Facets of Socio-Tehcnical Change: Proceedings of ECIS 2018, Portsmouth, UK, June 23-28, 2018. Edited by Peter Bednar, et al., 2018. Web.

Könning, Michael. “Conceptualizing the Effect of Cultural Distance on IT Outsourcing Success.” Proceedings of Australasian Conference on Information Systems 2018, Sydney, Australia, Dec. 3-5, 2018. Edited by Matthew Noble, UTS ePress, 2018. Web.

Lee, Jae-Nam, et al. “Holistic Archetypes of IT Outsourcing Strategy: A Contingency Fit and Configurational Approach.” MIS Quarterly, vol. 43, no. 4, Dec. 2019, pp. 1201-1225. Web.

Loukis, Euripidis, et al. “Determinants of Software-as-a-Service Benefits and Impact on Firm Performance.” Decision Support Systems, vol. 117, Feb. 2019, pp. 38-47. Web.

Martensson, Anders. “Patterns in Application Development Sourcing in the Financial Industry.” Proceedings of the 13th European Conference of Information Systems, 2004. Web.

Martínez-Sánchez, Angel, et al. “The Relationship Between R&D, the Absorptive Capacity of Knowledge, Human Resource Flexibility and Innovation: Mediator Effects on Industrial Firms.” Journal of Business Research, vol. 118, Sept. 2020, pp. 431-440. Web.

Moreno, Valter, et al. “Outsourcing of IT and Absorptive Capacity: A Multiple Case Study in the Brazilian Insurance Sector.” Brazilian Business Review, vol. 17, no. 1, Jan.-Feb. 2020, pp. 97-113. Web.

Ozturk, Ebru. “The Impact of R&D Sourcing Strategies on Basic and Developmental R&D in Emerging Economies.” European Journal of Innovation Management, vol. 21, no. 7, May 2018, pp. 522-542. Web.

Ribas, Imma, et al. “Multi-Step Process for Selecting Strategic Sourcing Options When Designing Supply Chains.” Journal of Industrial Engineering and Management, vol. 14, no. 3, 2021, pp. 477-495. Web.

Striteska, Michaela Kotkova, and Viktor Prokop. “Dynamic Innovation Strategy Model in Practice of Innovation Leaders and Followers in CEE Countries – A Prerequisite for Building Innovative Ecosystems.” Sustainability, vol. 12, no. 9, May 2020. Web.

Thakur-Wernz, Pooja, et al. “Antecedents and Relative Performance of Sourcing Choices for New Product Development Projects.” Technovation, 2020. Web.

Build Your Enterprise Innovation Program

Transform your business by adopting the culture and practices that drive innovation.

Analyst Perspective

Innovation is not about ideas, it's about people.

Many organizations stumble when implementing innovation programs. Innovation is challenging to get right, and even more challenging to sustain over the long term.

One of the common stumbling blocks we see comes from organizations focusing more on the ideas and the process than on the culture and the people needed to make innovation a way of life. However, the most successful innovators are the ones which have adopted a culture of innovation and reinforce innovative behaviors across their organization. Organizational cultures which promote growth mindset, trust, collaboration, learning, and a willingness to fail are much more likely to produce successful innovators.

This research is not just about culture, but culture is the starting point for innovation. My hope is that organizations will go beyond the processes and methodologies laid out here and use this research to dramatically improve their organization's performance.

Kim Osborne Rodriguez
Research Director, CIO Advisory
Info-Tech Research Group

Executive Summary

Your Challenge

As a leader in your organization, you need to:

• Understand your organization's innovation goals.
• Create an innovation program or structure.
• Develop a culture of innovation across your team or organization.
• Demonstrate an ability to innovate and grow the business.

Common Obstacles

In the past, you might have experienced one or more of the following:

• Innovation initiatives lose momentum.
• Cynicism and distrust hamper innovation.
• Innovation efforts are unfocused or don't provide the anticipated value.
• Bureaucracy has created a bottleneck that stifles innovation.

Info-Tech's Approach

This blueprint will help you:

• Understand the different types of innovation.
• Develop a clear vision, scope, and focus.
• Create organizational culture and behaviors aligned with your innovation ambitions.
• Adopt an operational model and methodologies best suited for your culture, goals, and budget.
• Successfully run a pilot program.

Info-Tech Insight

There is no single right way to approach innovation. Begin with an understanding of your innovation ambitions, your existing culture, and the resources available to you, then adopt the innovation operating model that is best suited to your situation.

Note: This research is written for the individual who is leading the development of the innovation. This role is referred to as the Chief Innovation Officer (CINO) throughout this research but could be the CIO, CTO, IT director, or another business leader.

Why is innovation so challenging?

Most organizations want to be innovative, but very few succeed.

• Bureaucracy slows innovation: Innovation requires speed – it is important to fail fast and early so you can iterate to improve the final solution. Small, agile organizations like startups tend to be more risk tolerant and can move more quickly to iterate on new ideas compared to larger organizations.
• Change is uncomfortable: Most people are profoundly uncomfortable with failure, risk, and unknowns – three critical components of innovation. Humans are wired to think efficiently rather than innovatively, which leads to confirmation bias and lack of ingenuity.
• You will likely fail: Innovation initiatives rarely succeed on the first try – Harvard Business Review estimates between 70% and 90% of innovation efforts fail. Organizations which are more tolerant of failure tend to be significantly more innovative than those which are not (Review of Financial Studies, 2014).

Based on a survey of global innovation trends and practices:

The biggest obstacles to innovation are cultural

The biggest obstacles to innovation in large companies

Based on a survey of 270 business leaders.
Source: Harvard Business Review, 2018

The most common challenges business leaders experience relate to people and culture. Success is based on people, not ideas.

Politics, turf wars, and a lack of alignment: territorial departments, competition for resources, and unclear roles are holding back the innovation efforts of 55% of respondents.

FIX IT
Senior leadership needs to be clear on the innovation goals and how business units are expected to contribute to them.

Cultural issues: many large companies have a culture that rewards operational excellence and disincentivizes risk. A history of failed innovation attempts may result in significant resistance to new change efforts.

FIX IT
Cultural change takes time. Ensure you are rewarding collaboration and risk-taking, and hire people with fresh new perspectives.

Inability to act on signals crucial to the future of the business: only 18% of respondents indicated their organization was unaware of disruptions, but 42% said they struggled with acting on leading indicators of change.

FIX IT
Build the ability to quickly run pilots or partner with startups and incubators to test out new ideas without lengthy review and approval processes.
Source: Harvard Business Review, 2018

Build Your Enterprise Innovation Program

Define your purpose, assess your culture, and build a practice that delivers true innovation.

1 Source: Boston Consulting Group, 2021
2 Source: Boston Consulting Group, 2019
3 Source: Harvard Business Review, 2018

Use this research to outperform your peers

A seven-year review showed that the most innovative companies outperformed the market by upwards of 30%.

Innovators are defined as companies that were listed on Fast Company World's 50 Most Innovative Companies for 2+ years.

Innovation is critical to business success.

A 25-year study by Business Development Canada and Statistics Canada showed that innovation was more important to business success than management, human resources, marketing, or finance.

Executive brief case study

INDUSTRY: Healthcare
SOURCE: Interview

Culture is critical

This Info-Tech member is a nonprofit, community-based mental health organization located in the US. It serves about 25,000 patients per year in community, school, and clinic settings.

This organization takes its innovation culture very seriously and has developed methodologies to assess individual and team innovation readiness as well as innovation types, which it uses to determine everyone's role in the innovation process. These assessments look at knowledge of and trust in the organization, its innovation profile, and its openness to change. Innovation enthusiasts are involved early in the process when it's important to dream big, while more pragmatic perspectives are incorporated later to improve the final solution.

Results

The organization has developed many innovative approaches to delivering healthcare. Notably, they have reimagined patient scheduling and reduced wait times to the extent that some patients can be seen the same day. They are also working to improve access to mental health care despite a shortage of professionals.

Developing an Innovative Culture

• Innovation Readiness Assessment
• Coaching Specific to Innovation Profile
• Innovation Enthusiasts Involved Early
• Innovation Pragmatists Involved Later
• High Success Rate of Innovation

Define innovation roles and responsibilities

Info-Tech's methodology for building your enterprise innovation program

Innovation program taxonomy

This research uses the following common terms:

Innovation Operating Model
The operating model describes how the innovation program delivers value to the organization, including how the program is structured, the steps from idea generation to enterprise launch, and the methodologies used.
Examples: Innovation Hub, Grassroots Innovation.

Innovation Methodology
Methodologies describe the ways the operating model is carried out, and the approaches used in the innovation practice.
Examples: Design Thinking, Weighted Criteria Scoring

Chief Innovation Officer
This research is written for the person or team leading the innovation program – this might be a CINO, CIO, or other leader in the organization.

Innovation Team
The innovation team may vary depending on the operating model, but generally consists of the individuals involved in facilitating innovation across the organization. This may be, but does not have to be, a dedicated innovation department.

Innovation Program
The program for generating ideas, running pilot projects, and building a business case to implement across the enterprise.

Pilot Project
A way of testing and validating a specific concept in the real world through a minimum viable product or small-scale implementation. The pilot projects are part of the overall pilot program.

Insight summary

Innovation is about people, not ideas or processes
Innovation does not require a formal process, a dedicated innovation team, or a large budget; the most important success factor for innovation is culture. Companies that facilitate innovative behaviors like growth mindset, collaboration, and the ability to take smart risk are most likely to see the benefits of innovation.

Very few are doing innovation well
Only 30% of companies consider themselves innovative, and there's a good reason: innovation involves unknowns, risk, and failure – three situations that people and organizations typically do their best to avoid. Counter this by removing the barriers to innovation.

Culture is the greatest barrier to innovation
In a survey of 270 business leaders, the top three most common obstacles were politics, turf wars, and alignment; culture issues; and inability to act on signals crucial to the business (Harvard Business Review, 2018). If you don't have a supportive culture, your ability to innovate will be significantly reduced.

Innovation is a means to an end
It is not the end itself. Don't get caught up in innovation for the sake of innovation – make sure you are getting the benefits from your investments. Measurable success factors are critical for maintaining the long-term success of your innovation engine.

Tackle wicked problems
Innovative approaches are better at solving complex problems than traditional practices. Organizations that prioritize innovation during a crisis tend to outperform their peers by over 30% and improve their market position (McKinsey, 2020).

Innovate or die
Innovation is critical to business growth. A 25-year study showed that innovation was more important to business success than management, human resources, marketing, or finance (Statistics Canada, 2006).

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Sample Job Descriptions and Organization Charts

Determine the skills, knowledge, and structure you need to make innovation happen.

Ideation Session Template

Facilitate an ideation session with your staff to identify areas for innovation.

Initiative Prioritization Workbook

Evaluate ideas to identify those which are most likely to provide value.

Key deliverable:

Enterprise Innovation Program Summary

Communicate how you plan to innovate with a report summarizing the outputs from this research.

Measure the value of this research

US businesses spend over half a trillion dollars on innovation annually. What are they getting for it?

• The top innovators(1) typically spend 5-15% of their budgets on innovation (including R&D).
• This research helps organizations develop a successful innovation program, which delivers value to the organization in the form of new products, services, and methods.
• Leverage this research to:
  • Get your innovation program off the ground quickly.
  • Increase internal knowledge and expertise.
  • Generate buy-in and excitement about innovation.
  • Develop the skills and capabilities you need to drive innovation over the long term.
  • Validate your innovation concept.
  • Streamline and integrate innovation across the organization.

(1) based on BCG's 50 Most Innovative Companies 2022

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided implementation

What does a typical guided implementation (GI) on this topic look like?

A GI is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 8 to 12 calls over the course of three to six months.

Workshop overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Phase 1: Define Your Purpose

Develop a better understanding of the drivers for innovation and what success looks like.

This phase will walk you through the following activities:

• Understand your innovation mandate, including its drivers, scope, and focus.
• Define what innovation means to your organization.
• Develop an innovation vision and guiding principles.
• Articulate the value proposition and proposed metrics for evaluating program success.

This phase involves the following participants:

• CINO
• Business executives

Case study

INDUSTRY: Transportation
SOURCE: Interview

ArcBest
ArcBest is a multibillion-dollar shipping and logistics company which leverages innovative technologies to provide reliable and integrated services to its customers.

An Innovative Culture Starts at the Top
ArcBest's innovative culture has buy-in and support from the highest level of the company. Michael Newcity, ArcBest's CEO, is dedicated to finding better ways of serving their customers and supports innovation across the company by dedicating funding and resources toward piloting and scaling new initiatives.
Having a clear purpose and mandate for innovation at all levels of the organization has resulted in extensive grassroots innovation and the development of a formalized innovation program.

Results
ArcBest has a legacy of innovation, going back to its early days when it developed a business intelligence solution before anything else existed on the market. It continues to innovate today and is now partnering with start-ups to further expand its innovation capabilities.

"We don't micromanage or process-manage incremental innovation. We hire really smart people who are inspired to create new things and we let them run – let them create – and we celebrate it.
Our dedication to innovation comes from the top – I am both the President and the Chief Innovation Officer, and innovation is one of my top priorities."

Michael Newcity
President and Chief Innovation Officer ArcBest

1.1 Understand your innovation mandate

Before you can act, you need to understand the following:

• Where is the drive for innovation coming from?
  The source of your mandate dictates the scope of your innovation practice – in general, innovating outside the scope of your mandate (i.e. trying to innovate on products when you don't have buy-in from the product team) will not be successful.
• What is meant by "innovation"?
  There are many different definitions for innovation. Before pursuing innovation at your organization, you need to understand how it is defined. Use the definition in this section as a starting point, and craft your own definition of innovation.
• What kind of innovation are you targeting?
  Innovation can be internal or external, emergent or deliberate, and incremental or radically transformative. Understanding what kind of innovation you want is the starting point for your innovation practice.

The source of your mandate dictates the scope of your influence

You can only influence what you can control.

Unless your mandate comes from the CEO or Board of Directors, driving enterprise-wide innovation is very difficult. If you do not have buy-in from senior business leaders, use lighthouse projects and a smaller innovation practice to prove the value of innovation before taking on enterprise innovation.

In order to execute on a mandate to build innovation, you don't just need buy-in. You need support in the form of resources and funding, as well as strong leadership who can influence culture and the authority to change policies and practices that inhibit innovation.

For more resources on building relationships in your organization, refer to Info-Tech's Become a Transformational CIO blueprint.

What is "innovation"?

Innovation is often easier to recognize than define.

Align on a useful definition of innovation for your organization before you embark on a journey of becoming more innovative.

Innovation is the practice of developing new methods, products or services which provide value to an organization.

Practice
This does not have to be a formal process – innovation is a means to an end, not the end itself.

New
What does "new" mean to you?

• New application of an existing method
• Developing a completely original product
• Adopting a service from another industry

Value
What does value mean to you? Look to your business strategy to understand what goals the organization is trying to achieve, then determine how "value" will be measured.

Info-Tech Insight

Some innovations are incremental, while some are radically transformative. Decide what kind of innovation you want to cultivate before developing your strategy.

We can categorize innovation in three ways

Evaluate your goals with respect to innovation: focus, strategy, and potential to transform.

Focus: Where will you innovate?

Strategy: To what extent will you guide innovation efforts?

Potential: How radical will your innovations be?

What are your ambitions?

1. Develop a better understanding of what type of innovation you are trying to achieve by plotting out your goals on the categories on the left.
2. All categories are independent of one another, so your goals may fall anywhere on the scales for each category.
3. Understanding your innovation ambitions helps establish the operating model best suited for your innovation practice.
4. In general, innovation which is more external, deliberate, and radical tends to be more centralized.

Activity 1.1 Understand your innovation mandate

1 hour

1. Schedule a 30-minute discussion with the person (i.e. CEO) or group (i.e. Board of Directors) ultimately requesting the shift toward innovation. If there is no external party, then conduct this assessment yourself.
2. Facilitate a discussion that addresses the following questions:

• What is meant by "innovation"?
• What are they hoping to achieve through innovation?
• What is the innovation scope? Are any areas off-limits (i.e. org structure, new products, certain markets)?
• What is the budget (i.e. people, money) they are willing to commit to innovation?
• What type of innovation are they pursuing?

3. Record this information and complete the "Our Purpose" section of the Innovation Program Template.

Download the Innovation Program Template.

Input

• Knowledge of the key decision maker/sponsor for innovation

Output

• Understanding of the mandate for innovation, including definition, value, scope, budget, and type of innovation

Materials

• Innovation Program Template

Participants

• CINO
• CEO, CTO, or Board of Directors (whoever is requesting/sponsoring the pursuit of innovation)

1.2 Define your innovation ambitions

Articulate your future state through a vision and guiding principles.

• Vision and purpose make up the foundation on which all other design aspects will be based. These aspects should not be taken lightly, but rather they should be the force that aligns everyone to work toward a common outcome. It is incumbent on leaders to make them part of the DNA of the organization – to drive organization, structure, culture, and talent strategy.
• Your vision statement is a future-focused statement that summarizes what you hope to achieve. It should be inspirational, ambitious, and concise.
• Your guiding principles outline the guardrails for your innovation practice. What will your focus be? How will you approach innovation? What is off-limits?
• Define the scope and focus for your innovation efforts. This includes what you can innovate on and what is off limits.

Your vision statement is your North Star

Articulate an ambitious, inspirational, and concise vision statement for your innovation efforts.

A strong vision statement:

• Is future-focused and outlines what you want to become and what you want to achieve.
• Provides focus and direction.
• Is ambitious, focused, and concise.
• Answers: What problems are we solving? Who and what are we changing?

Examples:

• "We create radical new technologies to solve some of the world's hardest problems." – Google X, the Moonshot Factory
• "To be the most innovative enterprise in the world." – 3M
• "To use our imagination to bring happiness to millions of people." – Disney

"Good business leaders create a vision, articulate the vision, passionately own the vision, and relentlessly drive it to completion." – Jack Welch, Former Chairman and CEO of GE

Your guiding principles are the guardrails for creativity

Strong guiding principles give your team the freedom and direction to innovate.

Strong guiding principles:

• Focus on the approach, i.e. how things are done, as opposed to what needs to be done.
• Are specific to the organization.
• Inform and direct decision making with actionable statements. Avoid truisms, general statements, and observations.
• Are long-lasting and based on values, not solutions.
• Are succinct and easily digestible.
• Can be measured and verified.
• Answers: How do we approach innovation? What are our core values

Craft your guiding principles using these examples

Encourage experimentation and risk-taking
Innovation often requires trying new things, even if they might fail. We encourage experimentation and learn from failure, so that new ideas can be tested and refined.

Foster collaboration and cross-functional teams
Innovation often comes from the intersection of different perspectives and skill sets.

Customer-centric
Focus on creating value for the end user. This means understanding their needs and pain points, and using that knowledge to develop new methods, products, or services.

Embrace diversity and inclusivity
Innovation comes from a variety of perspectives, backgrounds, and experiences. We actively seek out and encourage diversity and inclusivity among our team members.

Foster a culture of learning and continuous improvement
Innovation requires continuous learning, development, and growth. We facilitate a culture that encourages learning and development, and that seeks feedback and uses it to improve.

Flexible and adaptable
We adapt to changes in the market, customer needs, and new technologies, so that it can continue to innovate and create value over time.

Data-driven
We use performance metrics and data to guide our innovation efforts.

Transparency
We are open and transparent in our processes and let the business needs guide our innovation efforts. We do not lead innovation, we facilitate it.

Activity 1.2 Craft your vision statement and guiding principles

1-2 hours

1. Gather your innovation team and key program sponsors. Review the guidelines for creating vision statements and guiding principles, as well as your mandate and focus for innovation.
2. As a group, discuss what you hope to achieve through your innovation efforts.
3. Separately, have each person write down their ideas for a vision statement. Bring the group back together and share ideas. Group the concepts together and construct a single statement which outlines your aspirational vision.
4. As a group, review the example guiding principles.
5. Separately, have each person write down three to five guiding principles. Bring the group back together and share ideas. Group similar concepts together and consolidate duplicate ideas. From this list, construct six to eight guiding principles.
6. Document your vision and guiding principles in the appropriate sections of the Innovation Program Template.

Input

• Understanding of your innovation mandate
• Business vision, mission, and values
• Sample vision statements and guiding principles

Output

• Vision statement
• Guiding principles

Materials

• In person: Whiteboard/flip charts, sticky notes, pens, and notepads
• Virtual: Consider using a shared document, virtual whiteboard, or online facilitation tool like MURAL
• Innovation Program Template

Participants

• CINO
• Innovation sponsors
• Business leaders
• Innovation team

1.3 Determine your value proposition and metrics

Justify the existence of the innovation program with a strong value proposition.

• The value proposition for developing an innovation program will be different for each organization, depending on what the organization hopes to achieve. Consider your mandate for innovation as well as the type of innovation you are pursuing when crafting the value proposition.
• Some of the reasons organizations may pursue innovation:
  • Business growth: Respond to market disruption; create new customers; take advantage of opportunities.
  • Branding: Create market differentiation; increase customer satisfaction and retention; adapt to customer needs.
  • Profitability: Improve products, services, or operations to increase competitiveness and profitability; develop more efficient processes.
  • Culture: Foster a culture of creativity and experimentation within the organization, encouraging employees to think outside the box.
  • Positive impact: Address social challenges such as poverty and climate change.

Develop a strong value proposition for your innovation program

Demonstrate the value to the business.

A strong value proposition not only articulates the value that the business will derive from the innovation program but also provides a clear focus, helps to communicate the innovation goals, and ultimately drives the success of the program.

Focus
Prioritize and focus innovation efforts to create solutions that provide real value to the organization

Communicate
Communicate the mandate and benefits of innovation in a clear and compelling way and inspire people to think differently

Measure Success
Measure the success of your program by evaluating outcomes based on the value proposition

Track appropriate success metrics for your innovation program

Your success metrics should link back to your organizational goals and your innovation program's value proposition.

Revenue Growth: Increase in revenue generated by new products or services.

Market Share: Percentage of total market that the business captures as a result of innovation.

Customer Satisfaction: Reviews, customer surveys, or willingness to recommend the company.

Employee Engagement: Engagement surveys, performance, employee retention, or turnover.

Innovation Output: The number of new products, services, or processes that have been developed.

Return on Investment: Financial return on the resources invested in the innovation process.

Social Impact: Number of people positively impacted, net reduction in emissions, etc.

Time to Launch: The time it takes for a new product or service to go from idea to launch.

Info-Tech Insight

The total impact of innovation is often intangible and extremely difficult to capture in performance metrics. Focus on developing a few key metrics rather than trying to capture the full value of innovation.

How much does innovation cost?

The top innovators(1) in the world spend 5% to 15% of their revenue on innovation.

Innovation requires a dedicated investment of time, money, and resources in order to be successful. The most innovative companies, based on Boston Consulting Group's ranking of the 50 most innovative companies in the world, spend significant portions of their revenue on research and development.

Note: This data uses research and development as a proxy for innovation spending, which may overestimate the total spend on what this research considers true innovation.

(1) Based on Boston Consulting Group's ranking of the 50 most innovative companies in the world, 2022
(2) Macrotrends, based on the 12 months ending Sept 30, 2022
(3) Statista
(4) CNBC, 2022

Activity 1.3 Develop your value proposition and performance metrics

1 hour

1. Review your mandate and vision statement. Write down your innovation goals and desired outcomes from pursuing innovation, prioritize the desired outcomes, and select the top five.
2. For each desired outcome, develop one to two metrics which could be used to track its success. Some outcomes are difficult to track, so get creative when it comes to developing metrics. If you get stuck, think about what would differentiate a great outcome from an unsuccessful one.
3. Once you have developed a list of three to five key metrics, read over the list and ensure that the metrics you have developed don't negatively influence your innovation. For example, a metric of the number of successful launches may drive people toward launching before a product is ready.
4. For each metric, develop a goal. For example, you may target 1% revenue growth over the next fiscal year or 20% energy use reduction.
5. Document your value proposition and key performance metrics in the appropriate sections of the Innovation Program Template.

Input

• Understanding of your innovation mandate
• Vision statement

Output

• Value proposition
• Performance metrics

Materials

• Innovation Program Template

Participants

• CINO

Phase 2: Align Your People

Create a culture that fosters innovative behaviors and puts processes in place to support them.

This phase will walk you through the following activities:

• Understand the key aspects of innovative cultures, and the behaviors associated with innovation.
• Assess your culture and identify gaps.
• Define your innovation operating model based on your organizational culture and the focus for innovation.
• Build your core innovation capabilities, including an innovation core team (if required based on your operating model).

This phase involves the following participants:

• CINO
• Innovation team

2.1 Foster a culture of innovation

Culture is the most important driver of innovation – and the most challenging to get right.

• Fostering a culture of innovation requires a broad approach which considers the perspectives of individuals, teams, leadership, and the overall organization.
• If you do not have support from leadership, it is very difficult to change organizational culture. It may be more effective to start with an innovation pilot or lighthouse project in order to gain support before addressing your culture.
• Rather than looking to change outcomes, focus on the behaviors which lead to innovation – such as growth mindset and willingness to fail. If these aren't in place, your ability to innovate will be limited.
• This section focuses on the specific behaviors associated with increased innovation. For additional resources on implementing these changes, refer to Info-Tech's other research:

Info-Tech's Fix Your IT Culture can help you promote innovative behaviors

Refer to Improve IT Team Effectiveness to address team challenges

Build a culture of innovation

Focus on behaviors, not outcomes.

The following behaviors and key indicators either stifle or foster innovation.

Ensure you are not inadvertently stifling innovation.
Review the following to ensure that the desired behaviors are promoted:

• Hiring practices
• Performance evaluation metrics
• Rewards and incentives
• Corporate policies
• Governance structures
• Leadership behavior

Case study

INDUSTRY: Commercial Real Estate and Retail
SOURCE: Interview

How not to approach innovation.

This anonymous national organization owned commercial properties across the country and had the goal of becoming the most innovative real estate and retail company in the market.

The organization pursued innovation in the digital solutions space across its commercial and retail properties. Within this space, there were significant differences in risk tolerance across teams, which resulted in the more risk-tolerant teams excluding the risk-averse members from discussions in order to circumvent corporate policies on risk tolerance. This resulted in an adversarial and siloed culture where each group believed they knew better than the other, and the more risk-averse teams felt like they were policing the actions of the risk-tolerant group.

Results

Morale plummeted, and many of the organization's top people left. Unfortunately, one of the solutions did not meet regulatory requirements, and the company faced negative media coverage and legal action. There was significant reputational damage as a result.

Lessons Learned

Considering differences in risk tolerance and risk appetite is critical when pursuing innovation. While everyone doesn't have to agree, leadership needs to understand the different perspectives and ensure that no one party is dominating the conversation over the others. An understanding of corporate risk tolerance and risk appetite is necessary to drive innovation.

All perspectives have a place in innovation. More risk tolerant perspectives should be involved early in the ideas-generation phase, and risk-averse perspectives should be considered later when ideas are being refined.

Speed should not override safety or circumvent corporate policies.

Understand your risk tolerance and risk appetite

Evaluate and align the appetite for risk.

• It is important to understand the organization's risk tolerance as well as the desire for risk. Consider the following risk categories when investigating the organization's views on risk:
  • Financial risk: the potential for financial or property loss.
  • Operational risk: the potential for disruptions to operations.
  • Reputational risk: the potential for negative impact to brand or reputation.
  • Compliance risk: the potential for loss due to non-compliance with laws and regulations.
• Greater risk tolerance typically enables greater innovation. Understand the varying levels of risk tolerance across your organization, and how these differences might impact innovation efforts.

It is more important to match the level of risk tolerance to the degree of innovation required. Not all innovation needs to be (or can feasibly be) disruptive.
Many factors impact risk tolerance including:

• Regulation
• Organization size
• Country
• Industry
• Personal experience
• Type of risk

Use Info-Tech's Security Risk Management research to better understand risk tolerance

Activity 2.1 Assess your innovation culture

1-3 hours

1. Review the behaviors which support and stifle innovation and give each behavior a score from 1 (stifling innovation) to 5 (fostering innovation). Any behaviors which fall below a 4 on this scale should be prioritized in your efforts to create an innovative culture.
2. Review the following policies and practices to determine how they may be contributing to the behaviors you see in your organization:
   1. Hiring practices
   2. Performance evaluation metrics
   3. Rewards, recognition, and incentives
   4. Corporate policies
   5. Governance structures
   6. Leadership behavior
3. Identify three concrete actions you can take to correct any behaviors which are stifling innovation. Examples might be revising a policy which punishes failure or changing performance incentives to reward appropriate risk taking.
4. Summarize your findings in the appropriate section of the Innovation Program Template.

Input

• Innovation behaviors

Output

• Understanding of your organization's culture
• Concrete actions you can take to promote innovation

Materials

• List of innovative behaviors
• Relevant policies and documents to review
• Innovation Program Template

Participants

• CINO

2.2 Define your innovation model

Set up your innovation practice for success using proven models and methodologies.

• There are many ways to approach innovation, from highly distributed forms where it's just part of everyone's job to very centralized and arm's-length innovation hubs or even outsourced innovation via startups. You can combine different approaches to create your own approach.
• You may or may not have a formal innovation team, but if you do, their role is to facilitate innovation – not lead it. Innovation is most effective when it is led by the business.
• There are many tools and methodologies you can use to facilitate innovation. Choose the one (or combination) that best suits your needs.

Select the right model

There is no one right way to pursue innovation, but some methods are better than others for specific situations and goals. Consider your existing culture, your innovation goals, and your budget when selecting the right methodology for your innovation.

Use the right methodologies to support different stages of your innovation process

Adapted from Niklaus Gerber via Medium, 2022

Methodologies are most useful when they are aligned with the goals of the innovation organization.

For example, design thinking tends to be excellent for earlier innovation planning, while Agile can allow for faster implementation and launch of initiatives later in the process.

Consider combining two or more methodologies to create a custom approach that best suits your organization's capabilities and goals.

Sample methodologies

A robust innovation methodology ensures that the process for developing, prioritizing, selecting, implementing, and measuring initiatives is aligned with the results you are hoping to achieve.

Different types of problems (drivers for innovation) may necessitate different methodologies, or a combination of methodologies.

Hackathon: An event which brings people together to solve a well-defined problem.

Design Thinking: Creative approach that focuses on understanding the needs of users.

Lean Startup: Emphasizes rapid experimentation in order to validate business hypotheses.

Design Sprint: Five-day process for answering business questions via design, prototyping, and testing.

Agile: Iterative design process that emphasizes project management and retrospectives.

Three Horizons: Framework that looks at opportunities on three different time horizons.

Innovation Ambition Matrix: Helps organizations categorize projects as part of the core offering, an adjacent offering, or completely new.

Global Innovation Management: A process of identifying, developing and implementing new ideas, products, services, or processes using alternative thinking.

Blue Ocean Strategy: A methodology that helps organizations identify untapped market space and create new markets via unique value propositions.

Activity 2.2 Design your innovation model

1-2 hours

1. Think about the following factors which influence the design of your innovation practice:
   1. Existing organizational culture
   2. Available funding to support innovation
   3. Type of innovation you are targeting
2. Review the innovation approaches, and identify which approach is most suitable for your situation. Note why this approach was selected.
3. Review the innovation methodologies and research those of interest. Select two to five methodologies to use for your innovation practice.
4. Document your decisions in the Innovation Program Template.

Input

• Understanding of your mandate and existing culture

Output

• Innovation approach
• Selected methodologies

Materials

• Innovation Program Template

Participants

• CINO
• Innovation team

2.3 Build your core innovation capabilities

Develop the skills, knowledge, and experience to facilitate successful innovation.

• Depending on the approach you selected in step 2.2, you may or may not require a dedicated innovation team. If you do, use the job descriptions and sample organization charts to build it. If not, focus on developing key capabilities which are needed to facilitate innovation.
• Diversity is key for successful innovation – ensure your team (formal or otherwise) includes diverse perspectives and backgrounds.
• Use your guiding principles when hiring and training your team.
• Focus on three core roles: evangelists, enablers, and experts.

Focus on three key roles when building your innovation team

Types of roles will depend on the purpose and size of the innovation team.

You don't need to grow them all internally. Consider partnering with vendors and other organizations to build capabilities.

Evangelists

Visionaries who inspire, support, and facilitate innovation across the business. Their responsibilities are to drive the culture of innovation.

Key skills and knowledge:

• Strong communication skills
• Relationship-building
• Consensus-building
• Collaboration
• Growth mindset

Sample titles:

• CINO
• Chief Transformation Officer
• Chief Digital Officer
• Innovation Lead
• Business Relationship Manager

Enablers

Translate ideas into tangible business initiatives, including assisting with business cases and developing performance metrics.

Key skills and knowledge:

• Critical thinking skills
• Business knowledge
• Facilitation skills
• Consensus-building
• Relationship-building

Sample titles:

• Product Owner
• Design Thinking Lead
• Data Scientist
• Business Analyst
• Human Factors Engineer
• Digital Marketing Specialist

Experts

Provide expertise in product design, delivery and management, and responsible for supporting and executing on pilot projects.

Key skills and knowledge:

• Project management skills
• Technical expertise
• Familiarity with emerging technologies
• Analytical skills
• Problem-solving skills

Sample titles:

• Product Manager
• Scrum Master/Agile Coach
• Product Engineer/DevOps
• Product Designer
• Emerging tech experts

Sample innovation team structure (large enterprise)

Visualize the whole value delivery process end-to-end to help identify the types of roles, resources, and capabilities required. These capabilities can be sourced internally (i.e. grow and hire internally) or through collaboration with centers of excellence, commercial partners, etc.

Streamline your process by downloading Info-Tech's job description templates:

• Chief Innovation Officer
• Chief Digital Officer
• Innovation Lead
• Business Relationship Manager
• Product Owner
• Business Analyst
• Scrum Master
• Project Manager

Activity 2.3 Build your innovation team

2-3 hours

1. Review your work from the previous activities as well as the organizational structure and the job description templates.
2. Start a list with two columns: currently have and needed. Start listing some of the key roles and capabilities from earlier in this step, categorizing them appropriately.
3. If you are using an organizational structure for your innovation process, start to frame out the structure and roles for your team.
4. Develop a list of roles you need to hire, and the key capabilities you need from candidates. Using the job descriptions, write job postings for each role.
5. Record your work in the appropriate section of the Innovation Program Template.

Input

• Previous work
• Info-Tech job description templates

Output

• List of capabilities required
• Org chart
• Job postings for required roles

Materials

• Note-taking capability
• Innovation Program Template

Participants

• CINO

Related Info-Tech Research

Fix Your IT Culture

• Promote psychological safety and growth mindset within your organization.
• Develop the organizational behaviors that lead to innovation.

Improve IT Team Effectiveness

• Address behaviors, processes, and cultural factors which impact team effectiveness.
• Grow the team's ability to address challenges and navigate volatile, uncertain, complex and ambiguous environments.

Master Organizational Change Management Practices

• Transformation and change are increasingly becoming the new normal. While this normality may help make people more open to change in general, specific changes still need to be planned, communicated, and managed. Agility and continuous improvement are good but can degenerate into volatility if change isn't managed properly.

Phase 3: Build Your Practice

Define your innovation process, streamline pilot projects, and scale for success.

This phase will walk you through the following activities:

• Build the methodologies needed to elicit ideas from the business.
• Develop criteria to evaluate and prioritize ideas for piloting.
• Define your pilot program methodologies and processes, including criteria to assess and compare the success of pilot projects.
• Conduct an end-of-year program retrospective to evaluate the success of your innovation program.

This phase involves the following participants:

• CINO
• Innovation team

Case study

INDUSTRY: Government
SOURCE: Interview

Confidential US government agency

The business applications group at this government agency strongly believes that innovation is key to progress and has instituted a formal innovation program as part of their agile operations. The group uses a Scaled Agile Framework (SAFe) with 2-week sprints and a 12-week program cycle.

To support innovation across the business unit, the last sprint of each cycle is dedicated toward innovation and teams do not commit to any other during these two weeks. At the end of each innovation sprint, ideas are presented to leadership and the valuable ones were either implemented initially or were given time in the next cycle of sprints for further development. This has resulted in a more innovative culture across the practice.

Results

There have been several successful innovations since this process began. Notably, the agency had previously purchased a robotic process automation platform which was only being used for a few specific applications. One team used their innovation sprint to expand the use cases for this solution and save nearly 10,000 hours of effort.

Standard 12-week Program Cycle

Design your innovation operating model to maximize value and learning opportunities

Pilots are an iterative process which brings together innovators and business teams to test and evaluate ideas.

Your operating model should include several steps including ideation, validation, evaluation and prioritization, piloting, and a retrospective which follows the pilot. Use the example on this slide when designing your own innovation operating model.

3.1 Build your ideation and prioritization methodologies

Engage the business to generate ideas, then prioritize based on value to the business.

• There are many ways of generating ideas, from informal discussion to formal ideation sessions or submission forms. Whatever you decide to use, make sure that you're getting the right information to evaluate ideas for prioritization.
• Use quantitative and qualitative metrics to evaluate ideas generated during the ideation process.
  • Quantitative metrics might include potential return on investment (ROI) or effort and resources required to implement.
  • Qualitative metrics might include alignment with the organizational strategy or the level of risk associated with the idea.

Engage the business to generate ideas

There are many ways of generating innovative ideas. Pick the methods that best suit your organization and goals.

Design Thinking
A structured approach that encourages participants to think creatively about the needs of the end user.

Ideation Workshop
A formal session that is used to understand a problem then generate potential solutions. Workshops can incorporate the other methodologies (such as brainstorming, design thinking, or mind mapping) to generate ideas.

• Define the problem
• Generate ideas
• Capture ideas
• Evaluate and prioritize
• Assign next steps

Crowdsourcing
An informal method of gathering ideas from a large group of people. This can be a great way to generate many ideas but may lack focus.

Value Proposition Canvas
A visual tool which helps to identify customer (or user) needs and design products and services that meet those needs.

Evaluate ideas and focus on those with the greatest value

Evaluation should be transparent and use both quantitative and qualitative metrics. The exact metrics used will depend on your organization and goals.

It is important to include qualitative metrics as these dimensions are better suited to evaluating highly innovative ideas and can capture important criteria like alignment with overall strategy and feasibility.

Develop 5 to 10 criteria that you can use to evaluate and prioritize ideas. Some criteria may be a pass/fail (for example, minimum ROI) and some may be comparative.

Evaluate
The first step is to evaluate ideas to determine if they meet the minimum criteria. This might include quantitative criteria like ROI as well as qualitative criteria like strategic alignment and feasibility.

Prioritize
Ideas that pass the initial evaluation should be prioritized based on additional criteria which might include quantitative criteria such as potential market size and cost to implement, and qualitative criteria such as risk, impact, and creativity.

Quantitative Metrics

Quantitative metrics are objective and easily comparable between initiatives, providing a transparent and data-driven process for evaluation and prioritization.
Examples:

• Potential market size
• ROI
• Net present value
• Payback period
• Number of users impacted
• Customer acquisition cost
• Customer lifetime value
• Breakeven analysis
• Effort required to implement
• Cost to implement

Qualitative Metrics

Qualitative metrics are less easily comparable but are equally important when it comes to evaluating ideas. These should be developed based on your organization strategy and innovation goals.
Examples:

• Strategy alignment
• Impact on users
• Uncertainty and risk
• Innovation potential
• Culture impact
• Feasibility
• Creativity and originality
• Type of innovation

Activity 3.1 Develop prioritization metrics

1-3 hours

1. Review your mandate, purpose, innovation goals and the sample prioritization and evaluation metrics.
2. Write down a list of your goals and their associated metrics, then prioritize which are the most important.
3. Determine which metrics will be used to evaluate ideas before they move on to the prioritization stage, and which metrics will be used to compare initiatives in order to determine which will receive further investment.
4. For each evaluation metric, determine the minimum threshold required for an idea to move forward. For each prioritization metric identify the definition and how it will be evaluated. Qualitative metrics may require more precise definitions than quantitative metrics.
5. Enter your metrics into the Initiative Prioritization Template.

Input

• Innovation mandate
• Innovation goals
• Sample metrics

Output

• Evaluation and prioritization metrics for ideas

Materials

• Whiteboard/Flip charts
• Innovation Program Template

Participants

• Innovation leader

Download the Initiative Prioritization Template

3.2 Build your program to pilot initiatives

Test and refine ideas through real-world pilot projects.

• The purpose of your pilot is to test and refine ideas in the real world. In order to compare pilot projects, it's important to track key performance indicators throughout the pilot. Measurements should be useful and comparable.
• Innovation facilitators are responsible for supporting pilot projects, including designing the pilot, setting up metrics, tracking outcomes, and facilitating retrospectives.
• Pilots generally follow an Agile methodology where ideas may be refined as the pilot proceeds, and the process iterates until either the idea is discarded or it has been refined into an initiative which can be scaled.
• Expect that most pilots will fail the first time, and many will fail completely. This is not a loss; lessons learned from the retrospective can be used to improve the process and later pilots.

Use pilot projects to test and refine initiatives before scaling to the rest of the organization

"Learning is as powerful as the outcome." – Brett Trelfa, CIO, Arkansas Blue Cross

1. Clearly define the goals and objectives of the pilot project. Goals and objectives ensure that the pilot stays on track and can be measured.
2. Your pilot group should include a variety of participants with diverse perspectives and skill sets, in order to gather unique insights.
3. Continuously track the progress of the pilot project. Regularly identify areas of improvement and implement changes as necessary to refine ideas.
4. Regularly elicit feedback from participants and iterate in order to improve the final innovation. Not all pilots will be successful, but every failure can help refine future solutions.
5. Consider scalability. If the pilot project is successful, it should be scalable and the lessons learned should be implemented in the larger organization.

Sample pilot metrics

Metrics are used to validate and test pilot projects to ensure they deliver value. This is an important step before scaling to the rest of the organization.

Adoption: How many end users have adopted the pilot solution?

Utilization: Is the solution getting utilized?

Support Requests: How many support requests have there been since the pilot was initiated?

Value: Is the pilot delivering on the value that it proposed? For example, time savings.

Feasibility: Has the feasibility of the solution changed since it was first proposed?

Satisfaction: Focus groups or surveys can provide feedback on user/customer satisfaction.

A/B Testing: Compare different methods, products or services.

Info-Tech Insight

Ensure standard core metrics are used across all pilot projects so that outcomes can be compared. Additional metrics may be used to refine and test hypotheses through the pilot process.

Activity 3.2 Build your program to pilot initiatives

1-2 hours

1. Gather the innovation team and review your mandate, purpose, goals, and the sample innovation operating model and metrics.
2. As a group, brainstorm the steps needed from idea generation to business case. Use sticky notes if in person, or a collaboration tool if remote.
3. Determine the metrics that will be used to evaluate ideas at each decision step (for example, prior to piloting). Outline what the different decisions might be (for example, proceed, refine or discard) and what happens as a result of each decision.
4. Document your final steps and metrics in the Innovation Program Template.

Input

• Innovation mandate
• Innovation goals
• Sample metrics

Output

• Pilot project methodology
• Pilot project metrics

Materials

• Innovation Program Template
• Sticky notes (in person) or digital collaboration tool (if remote)

Participants

• Innovation leader
• Innovation team

3.3 Conduct a program retrospective

Generate value from your successful pilots by scaling ideas across the organization.

• The final step in the innovation process is to scale ideas to the enterprise in order to realize the full potential.
• Keeping track of notable wins is important for showing the value of the innovation program. Track performance of initiatives that come out of the innovation program, including their financial, cultural, market, and brand impacts.
• Track the success of the innovation program itself by evaluating the number of ideas generated, the number of pilots run and the success of the pilots. Keep in mind that many failed pilots is not a failure of the program if the lessons learned were valuable.
• Complete an innovation program retrospective every 6 to 12 months in order to adjust and make any changes if necessary to improve your process.

Retrospectives should be objective, constructive, and action-oriented

A retrospective is a review of your innovation program with the aim of identifying lessons learned, areas for improvement, and opportunities for growth.

During a retrospective, the team will reflect on past experiences and use that information to inform future decision making and improve outcomes.

The goal of a retrospective is to learn from the past and use that knowledge to improve in the future.

Objective

Ensure that the retrospective is based on facts and objective data, rather than personal opinions or biases.

Constructive

Ensure that the retrospective is a positive and constructive experience, with a focus on finding solutions rather than dwelling on problems.

Action-Oriented

The retrospective should result in a clear action plan with specific steps to improve future initiatives.

Activity 3.3 Conduct a program retrospective

1-2 hours

1. Post a large piece of paper on the wall with a timeline from the last year. Include dates and a few key events, but not much more. Have participants place sticky notes in the spots to describe notable wins or milestones that they were proud of. This can be done as part of a formal meeting or asynchronously outside of meetings.
2. Bring the innovation team together and review the poster with notable wins. Do any themes emerge? How does the team feel the program is doing? Are there any changes needed?
3. Consider the metrics you use to track your innovation program success. Did the scaled projects meet their targets? Is there anything that could be refined about the innovation process?
4. Evaluate the outcomes of your innovation program. Did it meet the targets set for it? Did the goals and innovation ambitions come to fruition?
5. Complete this step every 6 to 12 months to assess the success of your program.
6. Complete the "Notable Wins" section of the Innovation Program Template.

Input

• Innovation mandate
• Innovation goals
• Sample metrics

Output

• Notable wins
• Action items for refining the innovation process

Materials

• Innovation Program Template
• Sticky notes (in person) or digital collaboration tool (if remote)

Participants

• CIO
• Innovation team
• Others who have participated in the innovation process

Related Info-Tech Research

Adopt Design Thinking in Your Organization

• A user's perspective while interacting with the products and services is very different from the organization's internal perspective while implementing and provisioning those. A design-based organization balances the two perspectives to drive user-satisfaction over end-to-end journeys.

Prototype With an Innovation Design Sprint

• Build and test a prototype in four days using Info-Tech's Innovation Design Sprint Methodology.
• Create an environment for co-creation between IT and the business.

Fund Innovation With a Minimum Viable Business Case

• Our approach guides you through effectively designing a solution, de-risking a project through impact reduction techniques, building and pitching the case for your project, and applying the business case as a mechanism to ensure that benefits are realized.

Summary of Accomplishment

Congratulations on launching your innovation program!

You have now completed your innovation strategy, covering the following topics:

• Executive Summary
• Our Purpose
• Scope and Value Proposition
• Guiding Principles
• Building an Innovative Culture
• Program Structure
• Success Metrics
• Notable Wins

If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation.

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Related Info-Tech Research

Accelerate Digital Transformation With a Digital Factory

• Understand the foundations of good design: purpose, organizational support, and leadership.
• Understand the design of the operating model: structure and organization, management practices, culture, environment, teams, technology platforms, and meaningful metrics and KPIs.

Sustain and Grow the Maturity of Innovation in Your Enterprise

• Unlock your innovation potential by looking at your innovation projects on both a macro and micro level.
• Innovation capacity is directly linked with creativity; allow your employees' creativity to flourish using Info-Tech's positive innovation techniques.

Define Your Digital Business Strategy

• Design a strategy that applies innovation to your business model, streamline and transform processes, and make use of technologies to enhance interactions with customers and employees.
• Create a balanced roadmap that improves digital maturity and prepares you for long-term success in a digital economy.

Research Contributors and Experts

Kim Osborne Rodriguez
Research Director, CIO Advisory
Info-Tech Research Group

Kim is a professional engineer and Registered Communications Distribution Designer with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach, with a track record of supporting successful projects.
Kim holds a Bachelor's degree in Mechatronics Engineering from University of Waterloo.

Joanne Lee
Principal Research Director, CIO Advisory
Info-Tech Research Group

Joanne is an executive with over 25 years of experience in digital technology and management consulting across both public and private entities from solution delivery to organizational redesign across Canada and globally.
Prior to joining Info-Tech Research Group, Joanne was a management consultant within KPMG's CIO management consulting services and the Western Canadas Digital Health Practice lead. She has held several executive roles in the industry with the most recent position as Chief Program Officer for a large $450M EHR implementation. Her expertise spans cloud strategy, organizational design, data and analytics, governance, process redesign, transformation, and PPM. She is passionate about connecting people, concepts, and capital.
Joanne holds a Master's in Business and Health Policy from the University of Toronto and a Bachelor of Science (Nursing) from the University of British Columbia.

Jack Hakimian
Senior Vice President
Info-Tech Research Group

Jack has more than 25 years of technology and management consulting experience. He has served multi-billion-dollar organizations in multiple industries including Financial Services and Telecommunications. Jack also served a number of large public sector institutions.
He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master's degree in Computer Engineering as well as an MBA from the ESCP-EAP European School of Management.

Michael Tweedie
Practice Lead, CIO Strategy
Info-Tech Research Group

Mike Tweedie brings over 25 years as a technology executive. He's led several large transformation projects across core infrastructure, application, and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management.
Mike holds a Bachelor's degree in Architecture from Ryerson University.

Mike Schembri
Senior Executive Advisor
Info-Tech Research Group

Mike is the former CIO of Fuji Xerox Australia and has 20+ years' experience serving IT and wider business leadership roles. Mike has led technical and broader business service operations teams to value and growth successfully in organizations ranging from small tech startups through global IT vendors, professional service firms, and manufacturers.
Mike has passion for strategy and leadership and loves working with individuals/teams and seeing them grow.

John Leidl
Senior Director, Member Services
Info-Tech Research Group

With over 35 years of IT experience, including senior-level VP Technology and CTO leadership positions, John has a breadth of knowledge in technology innovation, business alignment, IT operations, and business transformation. John's experience extends from start-ups to corporate enterprise and spans higher education, financial services, digital marketing, and arts/entertainment.

Joe Riley
Senior Workshop Director
Info-Tech Research Group

Joe ensures our members get the most value out of their Info-Tech memberships by scoping client needs, current state and desired business outcomes, and then drawing upon his extensive experience, certifications, and degrees (MBA, MS Ops/Org Mgt, BS Eng/Sci, ITIL, PMP, Security+, etc.) to facilitate our client's achievement of desired and aspirational business outcomes. A true advocate of ITSM, Joe approaches technology and technology practices as a tool and enabler of people, core business, and competitive advantage activities.

Denis Goulet
Senior Workshop Director
Info-Tech Research Group

Denis is a transformational leader and experienced strategist who has worked with 100+ organizations to develop their digital, technology, and governance strategies.
He has held positions as CIO, Chief Administrative Office (City Manager), General Manager, Vice President of Engineering, and Management Consultant, specializing in enterprise and technology strategy.

Cole Cioran
Managing Partner
Info-Tech Research Group

I knew I wanted to build great applications that would delight their users. I did that over and over. Along the way I also discovered that it takes great teams to deliver great applications. Technology only solves problems when people, processes, and organizations change as well. This helped me go from writing software to advising some of the largest organizations in the world on how to how to build a digital delivery umbrella of Product, Agile, and DevOps and create exceptional products and services powered by technology.

Carlene McCubbin
Research Lead, CIO Practice
Info-Tech Research Group

During her tenure at Info-Tech, Carlene has led the development of Info-Tech's Organization and Leadership practice and worked with multiple clients to leverage the methodologies by creating custom programs to fit each organization's needs.
Before joining Info-Tech, Carlene received her Master of Communications Management from McGill University, where she studied development of internal and external communications, government relations, and change management.

Isabelle Hertanto
Principal Research Director
Info-Tech Research Group

Isabelle Hertanto has over 15 years of experience delivering specialized IT services to the security and intelligence community. As a former federal officer for Public Safety Canada, Isabelle trained and led teams on data exploitation and digital surveillance operations in support of Canadian national security investigations. Since transitioning into the private sector, Isabelle has held senior management and consulting roles across a variety of industry sectors, including retail, construction, energy, healthcare, and the broader Canadian public sector.

Hans Eckman
Principal Research Director
Info-Tech Research Group

Hans Eckman is a business transformation leader helping organizations connect business strategy and innovation to operational excellence. He supports Info-Tech members in SDLC optimization, Agile and DevOps implementation, CoE/CoP creation, innovation program development, application delivery, and leadership development. Hans is based out of Atlanta, Georgia.

Valence Howden
Principal Research Director
Info-Tech Research Group

With 30 years of IT experience in the public and private sector, Valence has developed experience in many Information Management and Technology domains, with a particular focus in the areas of Service Management, Enterprise and IT Governance, Development and Execution of Strategy, Risk Management, Metrics Design and Process Design, and Implementation and Improvement. Prior to joining Info-Tech, he served in technical and client-facing roles at Bell Canada and CGI Group Inc., as well as managing the design, integration, and implementation of services and processes in the Ontario Public Sector.

Clayton Gillett
Managing Partner
Info-Tech Research Group

Clayton Gillett is a Managing Partner for Info-Tech, providing technology management advisory services to healthcare clients. Clayton joined Info-Tech with more than 28 years of experience in health care information technology. He has held senior IT leadership roles at Group Health Cooperative of Puget Sound and OCHIN, as well as advisory or consulting roles at ECG Management Consultants and Gartner.

Donna Bales
Principal Research Director
Info-Tech Research Group

Donna Bales is a Principal Research Director in the CIO Practice at Info-Tech Research Group specializing in research and advisory services in IT risk, governance, and compliance. She brings over 25 years of experience in strategic consulting and product development and has a history of success in leading complex, multi-stakeholder industry initiatives.

Igor Ikonnikov
Research Director
Info-Tech Research Group

Igor Ikonnikov is a Research and Advisory Director in the Data and Analytics practice. Igor has extensive experience in strategy formation and execution in the information management domain, including master data management, data governance, knowledge management, enterprise content management, big data, and analytics.
Igor has an MBA from the Ted Rogers School of Management (Toronto, Canada) with a specialization in Management of Technology and Innovation.

Research Contributors and Experts

Michael Newcity
Chief Innovation Officer
ArcBest

Kevin Yoder
Vice President, Innovation
ArcBest

Gary Boyd
Vice President, Information Systems & Digital Transformation
Arkansas Blue Cross and Blue Shield

Brett Trelfa
Chief Information Officer
Arkansas Blue Cross and Blue Shield

Kristen Wilson-Jones
Chief Technology & Product Officer
Medcurio

Note: additional contributors did not wish to be identified

Bibliography

Altringer, Beth. "A New Model for Innovation in Big Companies" Harvard Business Review. 19 Nov. 2013. Accessed 30 Jan. 2023. https://hbr.org/2013/11/a-new-model-for-innovation-in-big-companies
Arpajian, Scott. "Five Reasons Why Innovation Fails" Forbes Magazine. 4 June 2019. Accessed 31 Jan. 2023. https://www.forbes.com/sites/forbestechcouncil/2019/06/04/five-reasons-why-innovation-fails/?sh=234e618914c6
Baldwin, John & Gellatly, Guy. "Innovation Capabilities: The Knowledge Capital Behind the Survival and Growth of Firms" Statistics Canada. Sept. 2006. Accessed 30 Jan. 2023. https://www.bdc.ca/fr/documents/other/innovation_capabilities_en.pdf
Bar Am, Jordan et al. "Innovation in a Crisis: Why it is More Critical Than Ever" McKinsey & Company, 17 June 2020. Accessed 12 Jan. 2023. <https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/innovation-in-a-crisis-why-it-is-more-critical-than-ever >
Boston Consulting Group, "Most Innovative Companies 2021" BCG, April 2021. Accessed 30 Jan. 2023. https://web-assets.bcg.com/d5/ef/ea7099b64b89860fd1aa3ec4ff34/bcg-most-innovative-companies-2021-apr-2021-r.pdf
Boston Consulting Group, "Most Innovative Companies 2022" BGC, 15 Sept. 2022. Accessed 6 Feb. 2023. https://www.bcg.com/en-ca/publications/2022/innovation-in-climate-and-sustainability-will-lead-to-green-growth
Christensen, Clayton M. The Innovator's Dilemma: When New Technologies Cause Great Firms to Fail. Harvard Business Review Press, 2016.
Gerber, Niklaus. "What is innovation? A beginner's guide into different models, terminologies and methodologies" Medium. 20 Sept 2022. Accessed 7 Feb. 2023. https://world.hey.com/niklaus/what-is-innovation-a-beginner-s-guide-into-different-models-terminologies-and-methodologies-dd4a3147
Google X, Homepage. Accessed 6 Feb. 2023. https://x.company/
Harnoss, Johann D. & Baeza, Ramón. "Overcoming the Four Big Barriers to Innovation Success" Boston Consulting Group, 24 Sept. 2019. Accessed 30 Jan 2023. https://www.bcg.com/en-ca/publications/2019/overcoming-four-big-barriers-to-innovation-success
Jaruzelski, Barry et al. "Global Innovation 1000 Study" Pricewaterhouse Cooper, 30 Oct. 2018. Accessed 13 Jan. 2023. <https://www.strategyand.pwc.com/gx/en/insights/innovation1000.html>
Kharpal, Arjun. "Huawei posts first-ever yearly revenue decline as U.S. sanctions continue to bite, but profit surges" CNBC. 28 March 2022. Accessed 7 Feb. 2023. https://www.cnbc.com/2022/03/28/huawei-annual-results-2021-revenue-declines-but-profit-surges.html
Kirsner, Scott. "The Biggest Obstacles to Innovation in Large Companies" Harvard Business Review, 30 July 2018. Accessed 12 Jan. 2023. <https://hbr.org/2018/07/the-biggest-obstacles-to-innovation-in-large-companies>
Macrotrends. "Apple Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/AAPL/apple/revenue
Macrotrends. "Microsoft Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/MSFT/microsoft/revenue
Macrotrends. "Amazon Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/AMZN/amazon/revenue
Macrotrends. "Alphabet Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/GOOG/alphabet/revenue
Macrotrends. "Tesla Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/TSLA/tesla/revenue
Macrotrends. "Moderna Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/MRNA/moderna/revenue
Macrotrends. "Sony Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/SONY/sony/revenue
Macrotrends. "IBM Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/IBM/ibm/revenue
Macrotrends. "Meta Platforms Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/META/meta-platforms/revenue
Macrotrends. "NIKE Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/NKE/nike/revenue
Macrotrends. "Walmart Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/WMT/walmart/revenue
Macrotrends. "Dell Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/DELL/dell/revenue
Macrotrends. "NVIDIA Revenue 2010-2022" Macrotrends. Accessed 23 Jan. 2023. https://www.macrotrends.net/stocks/charts/NVDA/nvidia/revenue
Sloan, Paul. "How to Develop a Vision for Innovation" Innovation Management, 10 Aug. 2009. Accessed 7 Feb. 2023. https://innovationmanagement.se/2009/08/10/how-to-develop-a-vision-for-innovation/
Statista. "Samsung Electronics' global revenue from 2005 to 2021" Statista. Accessed 7 Feb. 2023. https://www.statista.com/statistics/236607/global-revenue-of-samsung-electronics-since-2005/
Tichy, Noel & Ram Charan. "Speed, Simplicity, Self-Confidence: An Interview with Jack Welch" Harvard Business Review, 2 March 2020. Accessed 7 Feb. 2023. https://hbr.org/1989/09/speed-simplicity-self-confidence-an-interview-with-jack-welch
Weick, Karl and Kathleen Sutcliffe. Managing the Unexpected: Sustained Performance in a Complex World, Third Edition. John Wiley & Sons, 2015.
Xuan Tian, Tracy Yue Wang, Tolerance for Failure and Corporate Innovation, The Review of Financial Studies, Volume 27, Issue 1, 2014, Pages 211–255, Accessed https://doi.org/10.1093/rfs/hhr130

Establish Data Governance

Deliver measurable business value.

Executive Brief

Analyst Perspective

Establish a data governance program that brings value to your organization.

Data governance does not sit as an island on its own in the organization – it must align with and be driven by your enterprise governance. As you build out data governance in your organization, it’s important to keep in mind that this program is meant to be an enabling framework of oversight and accountabilities for managing, handling, and protecting your company’s data assets. It should never be perceived as bureaucratic or inhibiting to your data users. It should deliver agreed-upon models that are conducive to your organization’s operating culture, offering clarity on who can do what with the data and via what means. Data governance is the key enabler for bringing high-quality, trusted, secure, and discoverable data to the right users across your organization. Promote and drive the responsible and ethical use of data while helping to build and foster an organizational culture of data excellence.

Crystal Singh

Director, Research & Advisory, Data & Analytics Practice

Info-Tech Research Group

Executive Summary

Your Challenge

The amount of data within organizations is growing at an exponential rate, creating a need to adopt a formal approach to governing data. However, many organizations remain uninformed on how to effectively govern their data. Comprehensive data governance should define leadership, accountability, and responsibility related to data use and handling and be supported by a well-oiled operating model and relevant policies and procedures. This will help ensure the right data gets to the right people at the right time, using the right mechanisms.

Common Obstacles

Organizations are faced with challenges associated with changing data landscapes, evolving business models, industry disruptions, regulatory and compliance obligations, and changing and maturing user landscape and demand for data. Although the need for a data governance program is often evident, organizations miss the mark when their data governance efforts are not directly aligned to delivering measurable business value. Initiatives should support key strategic initiatives, as well as value streams and their underlying business capabilities.

Info-Tech’s Approach

Info-Tech’s approach to establishing and sustaining effective data governance is anchored in the strong alignment of organizational value streams and their business capabilities with key data governance dimensions and initiatives. Organizations should:

• Align their data governance with enterprise governance, business strategy and value streams to ensure the program delivers measurable business value.
• Understand their current data governance capabilities so as to build out a future state that is right-sized and relevant.
• Define data leadership, accountability, and responsibility. Support these with an operating model that effectively manages change and communication and fosters a culture of data excellence.

Info-Tech Insight

Your organization’s value streams and the associated business capabilities require effectively governed data. Without this, you face elevated operating costs, missed opportunities, eroded stakeholder satisfaction, and increased business risk.

Your challenge

This research is designed to help organizations build and sustain an effective data governance program.

• Your organization has recognized the need to treat data as a corporate asset for generating business value and/or managing and mitigating risk.
• This has brought data governance to the forefront and highlighted the need to build a performance-driven enterprise program for delivering quality, trusted, and readily consumable data to users.
• An effective data governance program is one that defines leadership, accountability, and responsibility related to data use and handling. It’s supported by a well-oiled operating model and relevant policies and procedures, all of which help build and foster a culture of data excellence where the right users get access to the right data at the right time via the right mechanisms.

As you embark on establishing data governance in your organization, it’s vital to ensure from the get-go that you define the drivers and business context for the program. Data governance should never be attempted without direction on how the program will yield measurable business value.

“Data processing and cleanup can consume more than half of an analytics team’s time, including that of highly paid data scientists, which limits scalability and frustrates employees.” – Petzold, et al., 2020

“The productivity of employees across the organization can suffer.” – Petzold, et al., 2020

Respondents to McKinsey’s 2019 Global Data Transformation Survey reported that an average of 30% of their total enterprise time was spent on non-value-added tasks because of poor data quality and availability. – Petzold, et al., 2020

Common obstacles

Some of the barriers that make data governance difficult to address for many organizations include:

• Gaps in communicating the strategic value of data and data governance to the organization. This is vital for securing senior leadership buy-in and support, which, in turn, is crucial for sustained success of the data governance program.
• Misinterpretation or a lack of understanding about data governance, including what it means for the organization and the individual data user.
• A perception that data governance is inhibiting or an added layer of bureaucracy or complication rather than an enabling and empowering framework for stakeholders in their use and handling of data.
• Embarking on data governance without firmly substantiating and understanding the organizational drivers for doing so. How is data governance going to support the organization’s value streams and their various business capabilities?
• Neglecting to define and measure success and performance. Just as in any other enterprise initiative, you have to be able to demonstrate an ROI for time, resources and funding. These metrics must demonstrate the measurable business value that data governance brings to the organization.
• Failure to align data governance with enterprise governance.

78% of companies (and 92% of top-tier companies) have a corporate initiative to become more data-driven. – Alation, 2020

But despite these ambitions, there appears to be a “data culture disconnect” – 58% of leaders overestimate the current data culture of their enterprises, giving a grade higher than the one produced by the study. – Fregoni, 2020

The strategic value of data

Power intelligent and transformative organizational performance through leveraging data.

Respond to industry disruptors

Optimize the way you serve your stakeholders and customers

Develop products and services to meet ever-evolving needs

Manage operations and mitigate risk

Harness the value of your data

The journey to being data-driven

The journey to declaring that you are a data-driven organization requires a pit stop at data enablement.

The Data Economy

Data Disengaged

You have a low appetite for data and rarely use data for decision making.

Data Enabled

Technology, data architecture, and people and processes are optimized and supported by data governance.

Data Driven

You are differentiating and competing on data and analytics; described as a “data first” organization. You’re collaborating through data. Data is an asset.

Data governance is essential for any organization that makes decisions about how it uses its data.

Data governance is an enabling framework of decision rights, responsibilities, and accountabilities for data assets across the enterprise.

Data governance is:

• Executed according to agreed-upon models that describe who can take what actions with what information, when, and using what methods (Olavsrud, 2021).
• True business-IT collaboration that will lead to increased consistency and confidence in data to support decision making. This, in turn, helps fuel innovation and growth.

If done correctly, data governance is not:

• An annoying, finger-waving roadblock in the way of getting things done.
• Meant to solve all data-related business or IT problems in an organization.
• An inhibitor or impediment to using and sharing data.

Info-Tech’s Data Governance Framework

Create impactful data governance by embedding it within enterprise governance

Organizational drivers for data governance

Data governance personas:

Conformance: Establishing data governance to meet regulations and compliance requirements.

Performance: Establishing data governance to fuel data-driven decision making for driving business value and managing and mitigating business risk.

Data Governance is not a one-person show

• Data governance needs a leader and a home. Define who is going to be leading, driving, and steering data governance in your organization.
• Senior executive leaders play a crucial role in championing and bringing visibility to the value of data and data governance. This is vital for building and fostering a culture of data excellence.
• Effective data governance comes with business and IT alignment, collaboration, and formally defined roles around data leadership, ownership, and stewardship.

Traditional data governance organizational structure

A traditional structure includes committees and roles that span across strategic, tactical, and operational duties. There is no one-size-fits-all data governance structure. However, most organizations follow a similar pattern when establishing committees, councils, and cross-functional groups. Most organizations strive to identify roles and responsibilities at a strategic and operational level. Several factors will influence the structure of the program, such as the focus of the data governance project and the maturity and size of the organization.

A healthy data culture is key to amplifying the power of your data.

“Albert Einstein is said to have remarked, ‘The world cannot be changed without changing our thinking.’ What is clear is that the greatest barrier to data success today is business culture, not lagging technology. “– Randy Bean, 2020

What does it look like?

• Everybody knows the data.
• Everybody trusts the data.
• Everybody talks about the data.

“It is not enough for companies to embrace modern data architectures, agile methodologies, and integrated business-data teams, or to establish centers of excellence to accelerate data initiatives, when only about 1 in 4 executives reported that their organization has successfully forged a data culture.”– Randy Bean, 2020

Data literacy is an essential part of a data-driven culture

• In a data-driven culture, decisions are made based on data evidence, not on gut instinct.
• Data often has untapped potential. A data-driven culture builds tools and skills, builds users’ trust in the condition and sources of data, and raises the data skills and understanding among their people on the front lines.
• Building a data culture takes an ongoing investment of time, effort, and money. This investment will not achieve the transformation you want without data literacy at the grassroots level.

Data-driven culture = “data matters to our company”

Despite investments in data initiative, organizations are carrying high levels of data debt

Data debt is “the accumulated cost that is associated with the sub-optimal governance of data assets in an enterprise, like technical debt.”

Data debt is a problem for 78% of organizations.

40% of organizations say individuals within the business do not trust data insights.

66% of organizations say a backlog of data debt is impacting new data management initiatives.

33% of organizations are not able to get value from a new system or technology investment.

30% of organizations are unable to become data-driven.

Source: Experian, 2020

Absent or sub-optimal data governance leads to data debt

Only 3% of companies’ data meets basic quality standards. (Source: Nagle, et al., 2017)

Organizations suspect 28% of their customer and prospect data is inaccurate in some way. (Source: Experian, 2020)

Only 51% of organizations consider the current state of their CRM or ERP data to be clean, allowing them to fully leverage it. (Source: Experian, 2020)

35% of organizations say they’re not able to see a ROI for data management initiatives. (Source: Experian, 2020)

Embrace the technology

Make the available data governance tools and technology work for you:

• Data catalog
• Business data glossary
• Data lineage
• Metadata management

While data governance tools and technologies are no panacea, leverage their automated and AI-enabled capabilities to augment your data governance program.

Measure success to demonstrate tangible business value

Put data governance into the context of the business:

• Tie the value of data governance and its initiatives back to the business capabilities that are enabled.
• Leverage the KPIs of those business capabilities to demonstrate tangible and measurable value. Use terms and language that will resonate with senior leadership.

Don’t let measurement be an afterthought:

Start substantiating early on how you are going to measure success as your data governance program evolves.

Build a right-sized roadmap

Formulate an actionable roadmap that is right-sized to deliver value in your organization.

Key considerations:

• When building your data governance roadmap, ensure you do so through an enterprise lens. Be cognizant of other initiatives that might be coming down the pipeline that may require you to align your data governance milestones accordingly.
• Apart from doing your planning with consideration for other big projects or launches that might be in-flight and require the time and attention of your data governance partners, also be mindful of the more routine yet still demanding initiatives.
• When doing your roadmapping, consider factors like the organization’s fiscal cycle, typical or potential year-end demands, and monthly/quarterly reporting periods and audits. Initiatives such as these are likely to monopolize the time and focus of personnel key to delivering on your data governance milestones.

Sample milestones:

Data Governance Leadership & Org Structure Definition

Define the home for data governance and other key roles around ownership and stewardship, as approved by senior leadership.

Data Governance Charter and Policies

Create a charter for your program and build/refresh associated policies.

Data Culture Diagnostic

Understand the organization’s current data culture, perception of data, value of data, and knowledge gaps.

Use Case Build and Prioritization

Build a use case that is tied to business capabilities. Prioritize accordingly.

Business Data Glossary

Build and/or refresh the business’ glossary for addressing data definitions and standardization issues.

Tools & Technology

Explore the tools and technology offering in the data governance space that would serve as an enabler to the program. (e.g. RFI, RFP).

Key takeaways for effective business-driven data governance

Data governance leadership and sponsorship is key.

Ensure strategic business alignment.

Build and foster a culture of data excellence.

Evolve along the data journey.

Make data governance an enabler, not a hindrance.

Insight summary

Overarching insight

Your organization’s value streams and the associated business capabilities require effectively governed data. Without this, you face the impact of elevated operational costs, missed opportunities, eroded stakeholder satisfaction, and exposure to increased business risk.

Insight 1

Data governance should not sit as an island in your organization. It must continuously align with the organization’s enterprise governance function. It shouldn’t be perceived as a pet project of IT, but rather as an enterprise-wide, business-driven initiative.

Insight 2

Ensure your data governance program delivers measurable business value by aligning the associated data governance initiatives with the business architecture. Leverage the measures of success or KPIs of the underlying business capabilities to demonstrate the value data governance has yielded for the organization.

Insight 3

Data governance remains the foundation of all forms of reporting and analytics. Advanced capabilities such as AI and machine learning require effectively governed data to fuel their success.

Tactical insight

Tailor your data literacy program to meet your organization’s needs, filling your range of knowledge gaps and catering to your different levels of stakeholders. When it comes to rolling out a data literacy program, there is no one-size-fits-all solution. Your data literacy program is intended to fill the knowledge gaps about data, as they exist in your organization. It should be targeted across the board – from your executive leadership and management through to the subject matter experts across different lines of the business in your organization.

Info-Tech’s methodology for establishing data governance

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Data Governance Planning and Roadmapping Workbook

Use the Data Governance Planning and Roadmapping Workbook as you plan, build, roll-out, and scale data governance in your organization.

Data Use Case Framework Template

This template takes you through a business needs gathering activity to highlight and create relevant use cases around the organization’s data-related problems and opportunities.

Business Data Glossary

Use this template to document the key data assets that are to be governed and create a data flow diagram for your organization.

Data Culture Diagnostic and Scorecard

Leverage Info-Tech’s Data Culture Diagnostic to understand how your organization scores across 10 areas relating to data culture.

Key deliverable:

Data Governance Planning and Roadmapping Workbook

Measure the value of this blueprint

Leverage this blueprint’s approach to ensure your data governance initiatives align and support your key value streams and their business capabilities.

• Aligning your data governance program and its initiatives to your organization’s business capabilities is vital for tracing and demonstrating measurable business value for the program.
• This alignment of data governance with value streams and business capabilities enables you to use business-defined KPIs and demonstrate tangible value.

In phases 1 and 2 of this blueprint, we will help you establish the business context, define your business drivers and KPIs, and understand your current data governance capabilities and strengths.

In phase 3, we will help you develop a plan and a roadmap for addressing any gaps and improving the relevant data governance capabilities so that data is well positioned to deliver on those defined business metrics.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team, has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keeps us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Establish Data Governance project overview

Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

Workshop overview

Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

Phase 1

Build Business and User Context

“When business users are invited to participate in the conversation around data with data users and IT, it adds a fundamental dimension — business context. Without a real understanding of how data ties back to the business, the value of analysis and insights can get lost.” – Jason Lim, Alation

This phase will guide you through the following activities:

• Identify Your Business Capabilities
• Define your Organization’s Key Business Capabilities
• Develop a Strategy Map that Aligns Business Capabilities to Your Strategic Focus

This phase involves the following participants:

• Data Governance Leader/Data Leader (CDO)
• Senior Business Leaders
• Business SMEs
• Data Leadership, Data Owners, Data Stewards and Custodians

Step 1.1

Substantiate Business Drivers

Activities

1.1.1 Identify Your Business Capabilities

1.1.2 Categorize Your Organization’s Key Business Capabilities

1.1.3 Develop a Strategy Map Tied to Data Governance

This step will guide you through the following activities:

• Leverage your organization’s existing business capability map or initiate the formulation of a business capability map, guided by info-Tech’s approach
• Determine which business capabilities are considered high priority by your organization
• Map your organization’s strategic objectives to value streams and capabilities to communicate how objectives are realized with the support of data

Outcomes of this step

• A foundation for data governance initiative planning that’s aligned with the organization’s business architecture: value streams, business capability map, and strategy map

Info-Tech Insight

Gaining a sound understanding of your business architecture (value streams and business capabilities) is a critical foundation for establishing and sustaining a data governance program that delivers measurable business value.

1.1.1 Identify Your Business Capabilities

Confirm your organization's existing business capability map or initiate the formulation of a business capability map:

• If you have an existing business capability map, meet with the relevant business owners/stakeholders to confirm that the content is accurate and up to date. Confirm the value streams (how your organization creates and captures value) and their business capabilities are reflective of the organization’s current business environment.
• If you do not have an existing business capability map, follow this activity to initiate the formulation of a map (value streams and related business capabilities):
  1. Define the organization’s value streams. Meet with senior leadership and other key business stakeholders to define how your organization creates and captures value.
  2. Define the relevant business capabilities. Meet with senior leadership and other key business stakeholders to define the business capabilities.

Note: A business capability defines what a business does to enable value creation. Business capabilities are business terms defined using descriptive nouns such as “Marketing” or “Research and Development.” They represent stable business functions, are unique and independent of each other, and typically will have a defined business outcome.

Input

• List of confirmed value streams and their related business capabilities

Output

• Business capability map with value streams for your organization

Materials

• Your existing business capability map or the template provided in the Data Governance Planning and Roadmapping Workbook accompanying this blueprint

Participants

• Key business stakeholders
• Data stewards
• Data custodians
• Data Governance Working Group

For more information, refer to Info-Tech’s Document Your Business Architecture.

Define or validate the organization’s value streams

Value streams connect business goals to the organization’s value realization activities. These value realization activities, in turn, depend on data.

If the organization does not have a business architecture function to conduct and guide Activity 1.1.1, you can leverage the following approach:

• Meet with key stakeholders regarding this topic, then discuss and document your findings.
• When trying to identify the right stakeholders, consider: Who are the decision makers and key influencers? Who will impact this piece of business architecture related work? Who has the relevant skills, competencies, experience, and knowledge about the organization?
• Engage with these stakeholders to define and validate how the organization creates value.
• Consider:
  • Who are your main stakeholders? This will depend on the industry in which you operate. For example, customers, residents, citizens, constituents, students, patients.
  • What are your stakeholders looking to accomplish?
  • How does your organization’s products and/or services help them accomplish that?
  • What are the benefits your organization delivers to them and how does your organization deliver those benefits?
  • How do your stakeholders receive those benefits?

Align data governance to the organization's value realization activities.

Value streams enable the organization to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

Info-Tech Insight

Your organization’s value streams and the associated business capabilities require effectively governed data. Without this, you face the possibilities of elevated operational costs, missed opportunities, eroded stakeholder satisfaction, negative impact to reputation and brand, and/or increased exposure to business risk.

Example of value streams – Retail Banking

Value streams connect business goals to the organization’s value realization activities.

Example value stream descriptions for: Retail Banking

Value streams enable the organization to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

For this value stream, download Info-Tech’s Info-Tech’s Industry Reference Architecture for Retail Banking.

Example of value streams – Higher Education

Value streams connect business goals to the organization’s value realization activities.

Example value stream descriptions for: Higher Education

Value streams enable the organization to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

For this value stream, download Info-Tech’s Industry Reference Architecture for Higher Education.

Example of value streams – Local Government

Value streams connect business goals to the organization’s value realization activities.

Example value stream descriptions for: Local Government

Value streams enable the organization to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

For this value stream, download Info-Tech’s Industry Reference Architecture for Local Government.

Example of value streams – Manufacturing

Value streams connect business goals to the organization’s value realization activities.

Example value stream descriptions for: Manufacturing

Value streams enable the organization to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

For this value stream, download Info-Tech’s Industry Reference Architecture for Manufacturing.

Example of value streams – Retail

Value streams connect business goals to the organization’s value realization activities.

Example value stream descriptions for: Retail

Value streams enable the organization to create or capture value in the market in which it operates by engaging in a set of interconnected activities.

For this value stream, download Info-Tech’s Industry Reference Architecture for Retail.

Define the organization’s business capabilities in a business capability map

A business capability defines what a business does to enable value creation. Business capabilities represent stable business functions and typically will have a defined business outcome.

Business capabilities can be thought of as business terms defined using descriptive nouns such as “Marketing” or “Research and Development.”

If your organization doesn’t already have a business capability map, you can leverage the following approach to build one. This initiative requires a good understanding of the business. By working with the right stakeholders, you can develop a business capability map that speaks a common language and accurately depicts your business.

Working with the stakeholders as described above:

• Analyze the value streams to identify and describe the organization’s capabilities that support them.
• Consider: What is the objective of your value stream? (This can highlight which capabilities support which value stream.)
• As you initiate your engagement with your stakeholders, don’t start a blank page. Leverage the examples on the next slides as a starting point for your business capability map.
• When using these examples, consider: What are the activities that make up your particular business? Keep the ones that apply to your organization, remove the ones that don’t, and add any needed.

Align data governance to the organization's value realization activities.

Info-Tech Insight

A business capability map can be thought of as a visual representation of your organization’s business capabilities and hence represents a view of what your data governance program must support.

For more information, refer to Info-Tech’s Document Your Business Architecture.

Example business capability map – Retail Banking

A business capability map can be thought of as a visual representation of your organization’s business capabilities and hence represents a view of what your data governance program must support.

Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

Info-Tech Tip:

Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realization capabilities under discussion. This will help to build awareness and visibility of the data governance program.

Example business capability map for: Retail Banking

For this business capability map, download Info-Tech’s Industry Reference Architecture for Retail Banking.

Example business capability map – Higher Education

A business capability map can be thought of as a visual representation of your organization’s business capabilities and hence represents a view of what your data governance program must support.

Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

Info-Tech Tip:

Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realization capabilities under discussion. This will help to build awareness and visibility of the data governance program.

Example business capability map for: Higher Education

For this business capability map, download Info-Tech’s Industry Reference Architecture for Higher Education.

Example business capability map – Local Government

A business capability map can be thought of as a visual representation of your organization’s business capabilities and hence represents a view of what your data governance program must support.

Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

Info-Tech Tip:

Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realization capabilities under discussion. This will help to build awareness and visibility of the data governance program.

Example business capability map for: Local Government

For this business capability map, download Info-Tech’s Industry Reference Architecture for Local Government.

Example business capability map – Manufacturing

A business capability map can be thought of as a visual representation of your organization’s business capabilities and hence represents a view of what your data governance program must support.

Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

Info-Tech Tip:

Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realization capabilities under discussion. This will help to build awareness and visibility of the data governance program.

Example business capability map for: Manufacturing

For this business capability map, download Info-Tech’s Industry Reference Architecture for Manufacturing.

Example business capability map - Retail

A business capability map can be thought of as a visual representation of your organization’s business capabilities and hence represents a view of what your data governance program must support.

Validate your business capability map with the right stakeholders, including your executive team, business unit leaders, and/or other key stakeholders.

Info-Tech Tip:

Leverage your business capability map verification session with these key stakeholders as a prime opportunity to share and explain the role of data and data governance in supporting the very value realization capabilities under discussion. This will help to build awareness and visibility of the data governance program.

Example business capability map for: Retail

For this business capability map, download Info-Tech’s Industry Reference Architecture for Retail.

1.1.2 Categorize Your Organization’s Key Capabilities

Determine which capabilities are considered high priority in your organization.

1. Categorize or heatmap the organization’s key capabilities. Consult with senior and other key business stakeholders to categorize and prioritize the business’ capabilities. This will aid in ensuring your data governance future state planning is aligned with the mandate of the business. One approach to prioritizing capabilities with business stakeholders is to examine them through the lens of cost advantage creators, competitive advantage differentiators, and/or by high value/high risk.
2. Identify cost advantage creators. Focus on capabilities that drive a cost advantage for your organization. Highlight these capabilities and prioritize programs that support them.
3. Identify competitive advantage differentiators. Focus on capabilities that give your organization an edge over rivals or other players in your industry.

This categorization/prioritization exercise helps highlight prime areas of opportunity for building use cases, determining prioritization, and the overall optimization of data and data governance.

Input

• Strategic insight from senior business stakeholders on the business capabilities that drive value for the organization

Output

• Business capabilities categorized and prioritized (e.g. cost advantage creators, competitive advantage differentiators, high value/high risk)

Materials

• Your existing business capability map or the business capability map derived in the previous activity

Participants

• Key business stakeholders
• Data stewards
• Data custodians
• Data Governance Working Group

For more information, refer to Info-Tech’s Document Your Business Architecture.

Example of business capabilities categorization or heatmapping – Retail

This exercise is useful in ensuring the data governance program is focused and aligned to support the priorities and direction of the business.

• Depending on the mandate from the business, priority may be on developing cost advantage. Hence the capabilities that deliver efficiency gains are the ones considered to be cost advantage creators.
• The business’ priority may be on maintaining or gaining a competitive advantage over its industry counterparts. Differentiation might be achieved in delivering unique or enhanced products, services, and/or experiences, and the focus will tend to be on the capabilities that are more end-stakeholder-facing (e.g. customer-, student-, patient,- and/or constituent-facing). These are the organization’s competitive advantage creators.

Example: Retail

For this business capability map, download Info-Tech’s Industry Reference Architecture for Retail.

1.1.3 Develop a Strategy Map Tied to Data Governance

Identify the strategic objectives for the business. Knowing the key strategic objectives will drive business-data governance alignment. It’s important to make sure the right strategic objectives of the organization have been identified and are well understood.

1. Meet with senior business leaders and other relevant stakeholders to help identify and document the key strategic objectives for the business.
2. Leverage their knowledge of the organization’s business strategy and strategic priorities to visually represent how these map to value streams, business capabilities, and, ultimately, to data and data governance needs and initiatives. Tip: Your map is one way to visually communicate and link the business strategy to other levels of the organization.
3. Confirm the strategy mapping with other relevant stakeholders.

Guide to creating your map: Starting with strategic objectives, map the value streams that will ultimately drive them. Next, link the key capabilities that enable each value stream. Then map the data and data governance to initiatives that support those capabilities. This is one approach to help you prioritize the data initiatives that deliver the most value to the organization.

Input

• Strategic objectives as outlined by the organization’s business strategy and confirmed by senior leaders

Output

• A strategy map that maps your organizational strategic objectives to value streams, business capabilities, and, ultimately, to data program

Materials

• Your existing business capability map or the one created in the previous step
• The strategy map template provided in the Data Governance Planning and Roadmapping Workbook
• Business strategy

Participants

• Key business stakeholders
• Data stewards
• Data custodians
• Data Governance Working Group

Download Info-Tech’s Data Governance Planning and Roadmapping Workbook

Example of a strategy map tied to data governance

• Strategic objectives are the outcomes that the organization is looking to achieve.
• Value streams enable an organization to create and capture value in the market through interconnected activities that support strategic objectives.
• Business capabilities define what a business does to enable value creation in value streams.
• Data capabilities and initiatives are descriptions of action items on the data and data governance roadmap and which will enable one or multiple business capabilities in its desired target state.

Info-Tech Tip:

Start with the strategic objectives, then map the value streams that will ultimately drive them. Next, link the key capabilities that enable each value stream. Then map the data and data governance initiatives that support those capabilities. This process will help you prioritize the data initiatives that deliver the most value to the organization.

Example: Retail

For this strategy map, download Info-Tech’s Industry Reference Architecture for Retail.

Step 1.2

Build High-Value Use Cases for Data Governance

Activities

1.2.1 Build High-Value Use Cases

This step will guide you through the following activities:

• Leveraging your categorized business capability map to conduct deep-dive sessions with key business stakeholders for creating high-value uses cases
• Discussing current challenges, risks, and opportunities associated with the use of data across the lines of business
• Exploring which other business capabilities, stakeholder groups, and business units will be impacted

Outcomes of this step

• Relevant use cases that articulate the data-related challenges, needs, or opportunities that are clear and contained and, if addressed ,will deliver value to the organization

Info-Tech Tip

One of the most important aspects when building use cases is to ensure you include KPIs or measures of success. You have to be able to demonstrate how the use case ties back to the organizational priorities or delivers measurable business value. Leverage the KPIs and success factors of the business capabilities tied to each particular use case.

1.2.1 Build High-Value Use Cases

This business needs-gathering activity will highlight and create relevant use cases around data-related problems or opportunities that are clear and contained and, if addressed, will deliver value to the organization.

1. Bring together key business stakeholders (data owner, stewards, SMEs) from a particular line of business as well as the relevant data custodian(s) to build cases for their units. Leverage the business capability map you created for facilitating this act.
2. Leverage Info-Tech’s framework for data requirements and methodology for creating use cases, as outlined in the Data Use Case Framework Template and seen on the next slide.
3. Have the stakeholders move through each breakout session outlined in the Use Case Worksheet. Use flip charts or a whiteboard to brainstorm and document their thoughts.
4. Debrief and document results in the Data Use Case Framework Template
5. Repeat this exercise with as many lines of the business as possible, leveraging your business capability map to guide your progress and align with business value.

Tip: Don’t conclude these use case discussions without substantiating what measures of success will be used to demonstrate the business value of the effort to produce the desired future state, as relevant to each particular use case.

Input

• Value streams and business capabilities as defined by business leaders
• Business stakeholders’ subject area expertise
• Data custodian systems, integration, and data knowledge

Output

• Use cases that articulate data-related challenges, needs or opportunities that are tied to defined business capabilities and hence if addressed will deliver measurable value to the organization.

Materials

• Your business capability map from activity 1.1.1
• Info-Tech’s Data Use Case Framework Template
• Whiteboard or flip charts (or shared screen if working remotely)
• Markers/pens

Participants

• Key business stakeholders
• Data stewards and business SMEs
• Data custodians
• Data Governance Working Group

Download Info-Tech’s Data Use Case Framework Template

Info-Tech’s Framework for Building Use Cases

Objective: This business needs-gathering activity will highlight and create relevant use cases around data-related problems or opportunities that are clear and contained and, if addressed, will deliver value to the organization.

Leveraging your business capability map, build use cases that align with the organization’s key business capabilities.

Consider:

• Is the business capability a cost advantage creator or an industry differentiator?
• Is the business capability currently underserved by data?
• Does this need to be addressed? If so, is this risk- or value-driven?

Info-Tech’s Data Requirements and Mapping Methodology for Creating Use Cases

1. What business capability (or capabilities) is this use case tied to for your business area(s)?
2. What are your data-related challenges in performing this today?
3. What are the steps in this process/activity today?
4. What are the applications/systems used at each step today?
5. What data domains are involved, created, used, and/or transformed at each step today?
6. What does an ideal or improved state look like?
7. What other business units, business capabilities, activities, and/or processes will be impacted or improved if this issue was solved?
8. Who are the stakeholders impacted by these changes? Who needs to be consulted?
9. What are the risks to the organization (business capability, revenue, reputation, customer loyalty, etc.) if this is not addressed?
10. What compliance, regulatory, and/or policy concerns do we need to consider in any solution?
11. What measures of success or change should we use to prove the value of the effort (such as KPIs, ROI)? What is the measurable business value of doing this?

The resulting use cases are to be prioritized and leveraged for informing the business case and the data governance capabilities optimization plan.

Taken from Info-Tech’s Data Use Case Framework Template

Phase 2

Understand Your Current Data Governance Capabilities

This phase will guide you through the following activities:

• Understand the Key Components of Data Governance
• Gauge Your Organization’s Current Data Culture

This phase involves the following participants:

• Data Leadership
• Data Ownership & Stewardship
• Policies & Procedures
• Data Literacy & Culture
• Operating Model
• Data Management
• Data Privacy & Security
• Enterprise Projects & Services

Step 2.1

Understand the Key Components of Data Governance

This step will guide you through the following activities:

• Understanding the core components of an effective data governance program and determining your organization’s current capabilities in these areas:
  • Data Leadership
  • Data Ownership & Stewardship
  • Policies & Procedures
  • Data Literacy & Culture
  • Operating Model
  • Data Management
  • Data Privacy & Security
  • Enterprise Projects & Services

Outcomes of this step

• An understanding the core components of an effective data governance program
• An understanding your organization’s current data governance capabilities

Review: Info-Tech’s Data Governance Framework

Key components of data governance

A well-defined data governance program will deliver:

• Defined accountability and responsibility for data.
• Improved knowledge and common understanding of the organization’s data assets.
• Elevated trust and confidence in traceable data.
• Improved data ROI and reduced data debt.
• An enabling framework for supporting the ethical use and handling of data.
• A foundation for building and fostering a data-driven and data-literate organizational culture.

The key components of establishing sustainable enterprise data governance, taken from Info-Tech’s Data Governance Framework:

• Data Leadership
• Data Ownership & Stewardship
• Operating Model
• Policies & Procedures
• Data Literacy & Culture
• Data Management
• Data Privacy & Security
• Enterprise Projects & Services

Data Leadership

• Data governance needs a dedicated head or leader to steer the organization’s data governance program.
• For organizations that do have a chief data officer (CDO), their office is the ideal and effective home for data governance.
• Heads of data governance also have titles such as director of data governance, director of data quality, and director of analytics.
• The head of your data governance program works with all stakeholders and partners to ensure there is continuous enterprise governance alignment and oversight and to drive the program’s direction.
• While key stakeholders from the business and IT will play vital data governance roles, the head of data governance steers the various components, stakeholders, and initiatives, and provides oversight of the overall program.
• Vital data governance roles include: data owners, data stewards, data custodians, data governance steering committee (or your organization’s equivalent), and any data governance working group(s).

The role of the CDO: the voice of data

The office of the chief data officer (CDO):

• Has a cross-organizational vision and strategy for data.
• Owns and drives the data strategy; ensures it supports the overall organizational strategic direction and business goals.
• Leads the organizational data initiatives, including data governance
• Is accountable for the policy, strategy, data standards, and data literacy necessary for the organization to operate effectively.
• Educates users and leaders about what it means to be “data-driven.”
• Builds and fosters a culture of data excellence.

“Compared to most of their C-suite colleagues, the CDO is faced with a unique set of problems. The role is still being defined. The chief data officer is bringing a new dimension and focus to the organization: ‘data.’ ”

– Carruthers and Jackson, 2020

Who does the CDO report to?

• The CDO should be a true C- level executive.
• Where the organization places the CDO role in the structure sends an important signal to the business about how much it values data.

“The title matters. In my opinion, you can’t have a CDO without executive authority. Otherwise no one will listen.”

– Anonymous European CDO

“The reporting structure depends on who’s the ‘glue’ that ties together all these uniquely skilled individuals.”

– John Kemp, Senior Director, Executive Services, Info-Tech Research Group

Data Ownership & Stewardship

Who are best suited to be data owners?

• Wherever they may sit in your organization, data owners will typically have the highest stake in that data.
• Data owners need to be suitably senior and have the necessary decision-making power.
• They have the highest interest in the related business data domain, whether they are the head of a business unit or the head of a line of business that produces data or consumes data (or both).
• If they are neither of these, it’s unlikely they will have the interest in the data (in terms of its quality, protection, ethical use, and handling, for instance) necessary to undertake and adopt the role effectively.

Data owners are typically senior business leaders with the following characteristics:

• Positioned to accept accountability for their data domain.
• Hold authority and influence to affect change, including across business processes and systems, needed to improve data quality, use, handling, integration, etc.
• Have access to a budget and resources for data initiatives such as resolving data quality issues, data cleansing initiatives, business data catalog build, related tools and technology, policy management, etc.
• Hold the influence needed to drive change in behavior and culture.
• Act as ambassadors of data and its value as an organizational strategic asset.

Right-size your data governance organizational structure

• Most organizations strive to identify roles and responsibilities at a strategic and operational level. Several factors will influence the structure of the program such as the focus of the data governance project as well as the maturity and size of the organization.
• Your data governance structure has to work for your organization, and it has to evolve as the organization evolves.
• Formulate your blend of data governance roles, committees, councils, and cross-functional groups, that make sense for your organization.
• Your data governance organizational structure should not add complexity or bureaucracy to your organization’s data landscape; it should support and enable your principle of treating data as an asset.

There is no one-size-fits-all data governance organizational structure.

Critical roles and responsibilities for data governance

Data Governance Working Groups

Data governance working groups:

• Are cross-functional teams
• Deliver on data governance projects, initiatives, and ad hoc review committees.

Data Stewards

Traditionally, data stewards:

• Serve on an operational level addressing issues related to adherence to standards/procedures, monitoring data quality, raising issues identified, etc.
• Are responsible for managing access, quality, escalating issues, etc.

Data Custodians

• Traditionally, data custodians:

• Serve on an operational level addressing issues related to data and database administration.
• Support the management of access, data quality, escalating issues, etc.
• Are SMEs from IT and database administration.

Example: Business capabilities to data owner and data stewards mapping for a selected data domain

Info-Tech Insight

Your organization’s value streams and the associated business capabilities require effectively governed data. Without this, you face elevated operational costs, missed opportunities, eroded stakeholder satisfaction, and exposure to increased business risk.

Enabling business capabilities with data governance role definitions

Operating Model

Your operating model is the key to designing and operationalizing a form of data governance that delivers measurable business value to your organization.

“Generate excitement for data: When people are excited and committed to the vision of data enablement, they’re more likely to help ensure that data is high quality and safe.” – Petzold, et al., 2020

Operating Model

Defining your data governance operating model will help create a well-oiled program that sustainably delivers value to the organization and manages risks while building and fostering a culture of data excellence along the way. Some organizations are able to establish a formal data governance office, whether independent or attached to the office of the chief data officer. Regardless of how you are organized, data governance requires a home, a leader, and an operating model to ensure its sustainability and evolution.

Examples of focus areas for your operating model:

• Delivery: While there are core tenets to every data governance program, there is a level of variability in the implementation of data governance programs across organizations, sectors, and industries. Every organization has its own particular drivers and mandates, so the level and rigor applied will also vary.

The key is to determine what style will work best in your organization, taking into consideration your organizational culture, executive leadership support (present and ongoing), catalysts such as other enterprise-wide transformative and modernization initiatives, and/or regulatory and compliances drivers.

• Communication: Communication is vital across all levels and stakeholder groups. For instance, there needs to be communication from the data governance office up to senior leadership, as well as communication within the data governance organization, which is typically made up of the data governance steering committee, data governance council, executive sponsor/champion, data stewards, and data custodians and working groups.

Furthermore, communication with the wider organization of data producers, users, and consumers is one of the core elements of the overall data governance communications plan.

Communication is vital for ensuring acceptance of new processes, rules, guidelines, and technologies by all data producers and users as well as for sharing success stories of the program.

Operating Model

Tie the value of data governance and its initiatives back to the business capabilities that are enabled.

“Leading organizations invest in change management to build data supporters and convert the skeptics. This can be the most difficult part of the program, as it requires motivating employees to use data and encouraging producers to share it (and ideally improve its quality at the source)[.]” – Petzold, et al., 2020

Operating Model

Examples of focus areas for your operating model (continued):

• Change management and issue resolution: Data governance initiatives will very likely bring about a level of organizational disruption, with governance recommendations and future state requiring potentially significant business change. This may include a redesign of a substantial number of data processes affecting various business units, which will require tweaking the organization’s culture, thought processes, and procedures surrounding its data.

Preparing people for change well in advance will allow them to take the steps necessary to adapt and reduce potential confrontation. By planning for and efficiently communicating any changes that a data governance initiative may bring, many initial issues can be resolved from the outset.

Attempting to implement change without an effective communications plan can result in disagreements over data control and stalemates between stakeholder units. The recommendations of the governance group must reflect the needs of all stakeholders or there will be pushback.

• Performance measuring, monitoring and reporting: Measuring and reporting on performance, successes, and realization of tangible business value are a must for sustaining, growing, and scaling your data governance program.

Aligning your data governance to the organization's value realization activities enables you to leverage the KPIs of those business capabilities to demonstrate tangible and measurable value. Use terms and language that will resonate with your senior business leadership.

Info-Tech Tip:

Launching a data governance program will bring with it a level of disruption to the culture of the organization. That disruption doesn’t have to be detrimental if you are prepared to manage the change proactively and effectively.

Policies, Procedures & Standards

“Data standards are the rules by which data are described and recorded. In order to share, exchange, and understand data, we must standardize the format as well as the meaning.” – U.S. Geological Survey

Policies, Procedures & Standards

• When defining, updating, or refreshing your data policies, procedures, and standards, ensure they are relevant, serve a purpose, and/or support the use of data in the organization.
• Avoid the common pitfall of building out a host of policies, procedures, and standards that are never used or followed by users and therefore don’t bring value or serve to mitigate risk for the organization.
• Data policies can be thought of as formal statements and are typically created, approved, and updated by the organization’s data decision-making body (such as a data governance steering committee).
• Data standards and procedures function as actions, or rules, that support the policies and their statements.
• Standards and procedures are designed to standardize the processes during the overall data lifecycle. Procedures are instructions to achieve the objectives of the policies. The procedures are iterative and will be updated with approval from your data governance committee as needed.
• Your organization’s data policies, standards, and procedures should not bog down or inhibit users; rather, they should enable confident data use and handling across the overall data lifecycle. They should support more effective and seamless data capture, integration, aggregation, sharing, and retention of data in the organization.

Examples of data policies:

• Data Classification Policy
• Data Retention Policy
• Data Entry Policy
• Data Backup Policy
• Data Provenance Policy
• Data Management Policy

Data Domain Documentation

Select the correct granularity for your business need

Sources: Dataversity; Atlan; Analytics8

Data Domain Documentation Examples

Data Culture

“Organizational culture can accelerate the application of analytics, amplify its power, and steer companies away from risky outcomes.” – Petzold, et al., 2020

A healthy data culture is key to amplifying the power of your data and to building and sustaining an effective data governance program.

What does a healthy data culture look like?

• Everybody knows the data.
• Everybody trusts the data.
• Everybody talks about the data.

Building a culture of data excellence.

Leverage Info-Tech’s Data Culture Diagnostic to understand your organization’s culture around data.

Contact your Info-Tech Account Representative for more information on the Data Culture Diagnostic

Cultivating a data-driven culture is not easy

“People are at the heart of every culture, and one of the biggest challenges to creating a data culture is bringing everyone into the fold.” – Lim, Alation

It cannot be purchased or manufactured,

It must be nurtured and developed,

And it must evolve as the business, user, and data landscapes evolve.

“Companies that have succeeded in their data-driven efforts understand that forging a data culture is a relentless pursuit, and magic bullets and bromides do not deliver results.” – Randy Bean, 2020

Hallmarks of a data-driven culture

There is a trusted, single source of data the whole company can draw from.

There’s a business glossary and data catalog and users know what the data fields mean.

Users have access to data and analytics tools. Employees can leverage data immediately to resolve a situation, perform an activity, or make a decision – including frontline workers.

Data literacy, the ability to collect, manage, evaluate, and apply data in a critical manner, is high.

Data is used for decision making. The company encourages decisions based on objective data and the intelligent application of it.

A data-driven culture requires a number of elements:

• High-quality data
• Broad access and data literacy
• Data-driven decision-making processes
• Effective communication

Data Literacy

Data literacy is an essential part of a data-driven culture.

• Building a data-driven culture takes an ongoing investment of time, effort, and money.
• This investment will not realize its full return without building up the organization’s data literacy.
• Data literacy is about filling data knowledge gaps across all levels of the organization.
• It’s about ensuring all users – senior leadership right through to core users – are equipped with appropriate levels of training, skills, understanding, and awareness around the organization’s data and the use of associated tools and technologies. Data literacy ensures users have the data they need and they know how to interpret and leverage it.
• Data literacy drives the appetite, demand, and consumption for data.
• A data-literate culture is one where the users feel confident and skilled in their use of data, leveraging it for making informed or evidence-based decisions and generating insights for the organization.

Data Management

• Data governance serves as an enabler to all of the core components that make up data management:
  • Data quality management
  • Data architecture management
  • Data platform
  • Data integration
  • Data operations management
  • Data risk management
  • Reference and master data management (MDM)
  • Document and content management
  • Metadata management
  • Business intelligence (BI), reporting, analytics and advanced analytics, artificial intelligence (AI), machine learning (ML)
• Key tools such as the business data glossary and data catalog are vital for operationalizing data governance and in supporting data management disciplines such as data quality management, metadata management, and MDM as well as BI, reporting, and analytics.

Enterprise Projects & Services

• Data governance serves as an enabler to enterprise projects and services that require, use, share, sell, and/or rely on data for their viability and, ultimately, their success.
• Folding or embedding data governance into the organization’s project management function or project management office (PMO) serves to ensure that, for any initiative, suitable consideration is given to how data is treated.
• This may include defining parameters, following standards and procedures around bringing in new sources of data, integrating that data into the organization’s data ecosystem, using and sharing that data, and retaining that data post-project completion.
• The data governance function helps to identify and manage any ethical issues, whether at the start of the project and/or throughout.
• It provides a foundation for asking relevant questions as it relates to the use or incorporation of data in delivering the specific project or service. Do we know where the data obtained from? Do we have rights to use that data? Are there legislations, policies, or regulations that guide or dictate how that data can be used? What are the positive effects, negative impacts, and/or risks associated with our intended use of that data? Are we positioned to mitigate those risks?
• Mature data governance creates organizations where the above considerations around data management and the ethical use and handling of data is routinely implemented across the business and in the rollout and delivery of projects and services.

Data Privacy & Security

• Data governance supports the organization’s data privacy and security functions.
• Key tools include the data classification policy and standards and defined roles around data ownership and data stewardship. These are vital for operationalizing data governance and supporting data privacy, security, and the ethical use and handling of data.
• While some organizations may have a dedicated data security and privacy group, data governance provides an added level of oversight in this regard.
• Some of the typical checks and balances include ensuring:
  • There are policies and procedures in place to restrict and monitor staff’s access to data (one common way this is done is according to job descriptions and responsibilities) and that these comply with relevant laws and regulations.
  • There’s a data classification scheme in place where data has been classified on a hierarchy of sensitivity (e.g. top secret, confidential, internal, limited, public).
  • The organization has a comprehensive data security framework, including administrative, physical, and technical procedures for addressing data security issues (e.g. password management and regular training).
  • Risk assessments are conducted, including an evaluation of risks and vulnerabilities related to intentional and unintentional misuse of data.
  • Policies and procedures are in place to mitigate the risks associated with incidents such as data breaches.
  • The organization regularly audits and monitors its data security.

Ethical Use & Handling of Data

Data governance will support your organization’s ethical use and handling of data by facilitating definition around important factors, such as:

• What are the various data assets in the organization and what purpose(s) can they be used for? Are there any limitations?
• Who is the related data owner? Who holds accountability for that data? Who will be answerable?
• Where was the data obtained from? What is the intended use of that data? Do you have rights to use that data? Are there legislations, policies, or regulations that guide or dictate how that data can be used?
• What are the positive effects, negative impacts, and/or risks associated with the use of that data?

Ethical Use & Handling of Data

• Data governance serves as an enabler to the ethical use and handling of an organization’s data.
• The Open Data Institute (ODI) defines data ethics as: “A branch of ethics that evaluates data practices with the potential to adversely impact on people and society – in data collection, sharing and use.”
• Data ethics relates to good practice around how data is collected, used and shared. It’s especially relevant when data activities have the potential to impact people and society, whether directly or indirectly (Open Data Institute, 2019).
• A failure to handle and use data ethically can negatively impact an organization’s direct stakeholders and/or the public at large, lead to a loss of trust and confidence in the organization's products and services, lead to financial loss, and impact the organization’s brand, reputation, and legal standing.
• Data governance plays a vital role in building and managing your data assets, knowing what data you have, and knowing the limitations of that data. Data ownership, data stewardship, and your data governance decision-making body are key tenets and foundational components of your data governance. They enable an organization to define, categorize, and confidently make decisions about its data.

Step 2.2

Gauge Your Organization’s Current Data Culture

Activities

2.2.1 Gauge Your Organization’s Current Data Culture

This step will guide you through the following activities:

• Conduct a data culture survey or leverage Info-Tech’s Data Culture Diagnostic to increase your understanding of your organization’s data culture

Outcomes of this step

• An understanding of your organizational data culture

2.2.1 Gauge Your Organization’s Current Data Culture

Conduct a Data Culture Survey or Diagnostic

The objectives of conducting a data culture survey are to increase the understanding of the organization's data culture, your users’ appetite for data, and their appreciation for data in terms of governance, quality, accessibility, ownership, and stewardship. To perform a data culture survey:

1. Identify members of the data user base, data consumers, and other key stakeholders for surveying.
2. Conduct an information session to introduce Info-Tech’s Data Culture Diagnostic survey. Explain the objective and importance of the survey and its role in helping to understand the organization’s current data culture and inform the improvement of that culture.
3. Roll out the Info-Tech Data Culture Diagnostic survey to the identified users and stakeholders.
4. Debrief and document the results and scorecard in the Data Strategy Stakeholder Interview Guide and Findings document.

Input

• Email addresses of participants in your organization who should receive the survey

Output

• Your organization’s Data Culture Scorecard for understanding current data culture as it relates to the use and consumption of data
• An understanding of whether data is currently perceived to be an asset to the organization

Materials

• Info-Tech’s Data Culture Diagnostic service

Participants

• Participants include those at the senior leadership level through to middle management, as well as other business stakeholders at varying levels across the organization
• Data owners, stewards, and custodians
• Core data users and consumers

Contact your Info-Tech Account Representative for details on launching a Data Culture Diagnostic.

Phase 3

Build a Target State Roadmap and Plan

“Achieving data success is a journey, not a sprint.” Companies that set a clear course, with reasonable expectations and phased results over a period of time, get to the destination faster.” – Randy Bean, 2020

This phase will guide you through the following activities:

• Build your Data Governance Roadmap
• Develop a target state plan comprising of prioritized initiatives

This phase involves the following participants:

• Data Governance Leadership
• Data Owners/Data Stewards
• Data Custodians
• Data Governance Working Group(s)

Step 3.1

Formulate an Actionable Roadmap and Right-Sized Plan

This step will guide you through the following activities:

• Build your data governance roadmap
• Develop a target state plan comprising of prioritized initiatives

Outcomes of this step

• A foundation for data governance initiative planning that’s aligned with the organization’s business architecture: value streams, business capability map, and strategy map

Build a right-sized roadmap

Formulate an actionable roadmap that is right sized to deliver value in your organization.

Key considerations:

• When building your data governance roadmap, ensure you do so through an enterprise lens. Be cognizant of other initiatives that might be coming down the pipeline that may require you to align your data governance milestones accordingly.
• Apart from doing your planning with consideration for other big projects or launches that might be in-flight and require the time and attention of your data governance partners, also be mindful of the more routine yet still demanding initiatives.
• When doing your roadmapping, consider factors like the organization’s fiscal cycle, typical or potential year-end demands, and monthly/quarterly reporting periods and audits. Initiatives such as these are likely to monopolize the time and focus of personnel key to delivering on your data governance milestones.

Sample milestones:

Data Governance Leadership & Org Structure Definition

Define the home for data governance and other key roles around ownership and stewardship, as approved by senior leadership.

Data Governance Charter and Policies

Create a charter for your program and build/refresh associated policies.

Data Culture Diagnostic

Understand the organization’s current data culture, perception of data, value of data, and knowledge gaps.

Use Case Build and Prioritization

Build a use case that is tied to business capabilities. Prioritize accordingly.

Business Data Glossary/Catalog

Build and/or refresh the business’ glossary for addressing data definitions and standardization issues.

Tools & Technology

Explore the tools and technology offering in the data governance space that would serve as an enabler to the program. (e.g. RFI, RFP).

Recall: Info-Tech’s Data Governance Framework

Build an actionable roadmap

Data Governance Leadership & Org Structure Division

Define key roles for getting started.

Use Case Build & Prioritization

Start small and then scale – deliver early wins.

Literacy Program

Start understanding data knowledge gaps, building the program, and delivering.

Tools & Technology

Make the available data governance tools and technology work for you.

Key components of your data governance roadmap

By now, you have assessed current data governance environment and capabilities. Use this assessment, coupled with the driving needs of your business, to plot your data Governance roadmap accordingly.

Sample data governance roadmap milestones:

• Define data governance leadership.
• Define and formalize data ownership and stewardship (as well as the role IT/data management will play as data custodians).
• Build/confirm your business capability map and data domains.
• Build business data use cases specific to business capabilities.
• Define business measures/KPIs for the data governance program (i.e. metrics by use case that are relevant to business capabilities).
• Data management:
  • Build your data glossary or catalog starting with identified and prioritized terms.
  • Define data domains.
• Design and define the data governance operating model (oversight model definition, communication plan, internal marketing such as townhalls, formulate change management plan, RFP of data governance tool and technology options for supporting data governance and its administration).
• Data policies and procedures:
  • Formulate, update, refresh, consolidate, rationalize, and/or retire data policies and procedures.
  • Define policy management and administration framework (i.e. roll-out, maintenance, updates, adherence, system to be used).
• Conduct Info-Tech’s Data Culture Diagnostic or survey (across all levels of the organization).
• Define and formalize the data literacy program (build modules, incorporate into LMS, plan lunch and learn sessions).
• Data privacy and security: build data classification policy, define classification standards.
• Enterprise projects and services: embed data governance in the organization’s PMO, conduct “Data Governance 101” for the PMO.

Defining data governance roles and organizational structure at Organization

The approach employed for defining the data governance roles and supporting organizational structure for .

Key Considerations:

• The data owner and data steward roles are formally defined and documented within the organization. Their involvement is clear, well-defined, and repeatable.
• There are data owners and data stewards for each data domain within the organization. The data steward role is given to someone with a high degree of subject matter expertise.
• Data owners and data stewards are effective in their roles by ensuring that their data domain is clean and free of errors and that they protect the organization against data loss.
• Data owners and data stewards have the authority to make final decisions on data definitions, formats, and standard processes that apply to their respective data sets. Data owners and data stewards have authority regarding who has access to certain data.
• Data owners and data stewards are not from the IT side of the organization. They understand the lifecycle of the data (how it is created, curated, retrieved, used, archived, and destroyed) and they are well-versed in any compliance requirements as it relates to their data.
• The data custodian role is formally defined and is given to the relevant IT expert. This is an individual with technical administrative and/or operational responsibility over data (e.g. a DBA).
• A data governance steering committee exists and is comprised of well-defined roles, responsibilities, executive sponsors, business representatives, and IT experts.
• The data governance steering committee works to provide oversight and enforce policies, procedures, and standards for governing data.
• The data governance working group has cross-functional representation. This comprises business and IT representation, as well as project management and change management where applicable: data stewards, data custodians, business subject matter experts, PM, etc.).
• Data governance meetings are coordinated and communicated about. The meeting agenda is always clear and concise, and meetings review pressing data-related issues. Meeting minutes are consistently documented and communicated.

Sample: Business capabilities to data owner and data stewards mapping for a selected data domain

Info-Tech Insight

Your organization’s value streams and the associated business capabilities require effectively governed data. Without this, you face elevated operational costs, missed opportunities, eroded stakeholder satisfaction, and exposure to increased business risk.

Enable business capabilities with data governance role definitions.

Consider your technology options:

Make the available data governance tools and technology work for you:

• Data catalog
• Business data glossary
• Data lineage
• Metadata management

These are some of the data governance tools and technology players. Check out SoftwareReviews for help making better software decisions.

Make the data steward the catalyst for organizational change and driving data culture

The data steward must be empowered and backed politically with decision-making authority, or the role becomes stale and powerless.

Ensuring compliance can be difficult. Data stewards may experience pushback from stakeholders who must deliver on the policies, procedures, and processes that the data steward enforces.

Because the data steward must enforce data processes and liaise with so many different people and departments within the organization, the data steward role should be their primary full-time job function – where possible.

However, in circumstances where budget doesn’t allow a full-time data steward role, develop these skills within the organization by adding data steward responsibilities to individuals who are already managing data sets for their department or line of business.

Info-Tech Tip

A stewardship role is generally more about managing the cultural change that data governance brings. This requires the steward to have exceptional interpersonal skills that will assist in building relationships across departmental boundaries and ensuring that all stakeholders within the organization believe in the initiative, understand the anticipated outcomes, and take some level of responsibility for its success.

Changes to organizational data processes are inevitable; have a communication plan in place to manage change

Create awareness of your data governance program. Use knowledge transfer to get as many people on board as possible.

Data governance initiatives must contain a strong organizational disruption component. A clear and concise communication strategy that conveys milestones and success stories will address the various concerns that business unit stakeholders may have.

By planning for and efficiently communicating any changes that a data governance initiative may bring, many initial issues can be resolved from the outset.

Governance recommendations will require significant business change. The redesign of a substantial number of data processes affecting various business units will require an overhaul of the organization’s culture, thought processes, and procedures surrounding its data. Preparing people for change well in advance will allow them to take the necessary steps to adapt and reduce potential confrontation.

Because a data governance initiative will involve data-driven business units across the organization, the governance team must present a compelling case for data governance to ensure acceptance of new processes, rules, guidelines, and technologies by all data producers and users.

Attempting to implement change without an effective communication plan can result in disagreements over data control and stalemates between stakeholder units. The recommendations of the governance group must reflect the needs of all stakeholders or there will be pushback.

Info-Tech Insight

Launching a data governance initiative is guaranteed to disrupt the culture of the organization. That disruption doesn’t have to be detrimental if you are prepared to manage the change proactively and effectively.

Create a common data governance vision that is consistently communicated to the organization

A data governance program should be an enterprise-wide initiative.

To create a strong vision for data governance, there must be participation from the business and IT. A common vision will articulate the state the organization wishes to achieve and how it will reach that state. Visioning helps to develop long-term goals and direction.

Once the vision is established, it must be effectively communicated to everyone, especially those who are involved in creating, managing, disposing, or archiving data.

The data governance program should be periodically refined. This will ensure the organization continues to incorporate best methods and practices as the organization grows and data needs evolve.

Info-Tech Tips

• Use information from the stakeholder interviews to derive business goals and objectives.
• Work to integrate different opinions and perspectives into the overall vision for data governance.
• Brainstorm guiding principles for data and understand the overall value to the organization.

Develop a compelling data governance communications plan to get all departmental lines of business on board

A data governance program will impact all data-driven business units within the organization.

A successful data governance communications plan involves making the initiative visible and promoting staff awareness. Educate the team on how data is collected, distributed, and used, what internal processes use data, and how that data is used across departmental boundaries.

By demonstrating how data governance will affect staff directly, you create a deeper level of understanding across lines of business, and ultimately, a higher level of acceptance for new processes, rules, and guidelines.

A clear and concise communications strategy will raise the profile of data governance within the organization, and staff will understand how the program will benefit them and how they can share in the success of the initiative. This will end up providing support for the initiative across the board.

A proactive communications plan will:

• Assist in overcoming issues with data control, stalemates between stakeholder units, and staff resistance.
• Provide a formalized process for implementing new policies, rules, guidelines, and technologies, and managing organizational data.
• Detail data ownership and accountability for decision making, and identify and resolve data issues throughout the organization.
• Encourage acceptance and support of the initiative.

Info-Tech Tip

Focus on literacy and communication: include training in the communication plan. Providing training for data users on the correct procedures for updating and verifying the accuracy of data, data quality, and standardized data policies will help validate how data governance will benefit them and the organization.

Leverage the data governance program to communicate and promote the value of data within the organization

The data governance program is responsible for continuously promoting the value of data to the organization. The data governance program should seek a variety of ways to educate the organization and data stakeholders on the benefit of data management.

Even if data policies and procedures are created, they will be highly ineffective if they are not properly communicated to the data producers and users alike.

There needs to be a communication plan that highlights how the data producer and user will be affected, what their new responsibilities are, and the value of that change.

To learn how to manage organizational change, refer to Info-Tech’s Master Organizational Change Management Practices.

Understand what makes for an effective policy for data governance

It can be difficult to understand what a policy is, and what it is not. Start by identifying the differences between a policy and standards, guidelines, and procedures.

The following are key elements of a good policy:

Leverage myPolicies, Info-Tech’s web-based application for managing your policies and procedures

Most organizations have problems with policy management. These include:

1. Policies are absent or out of date
2. Employees largely unaware of policies in effect
3. Policies are unmonitored and unenforced
4. Policies are in multiple locations
5. Multiple versions of the same policy exist
6. Policies managed inconsistently across different silos
7. Policies are written poorly by untrained authors
8. Inadequate policy training program
9. Draft policies stall and lose momentum
10. Weak policy support from senior management

Technology should be used as a means to solve these problems and effectively monitor, enforce, and communicate policies.

Product Overview

myPolicies is a web-based solution to create, distribute, and manage corporate policies, procedures, and forms. Our solution provides policy managers with the tools they need to mitigate the risk of sanctions and reduce the administrative burden of policy management. It also enables employees to find the documents relevant to them and build a culture of compliance.

Some key success factors for policy management include:

• Store policies in a central location that is well known and easy to find and access. A key way that technology can help communicate policies is by having them published on a centralized website.
• Link this repository to other policies’ taxonomies of your organization. E.g. HR policies to provide a single interface for employees to access guidance across the organization.
• Reassess policies annually at a minimum. myPolicies can remind you to update the organization’s policies at the appropriate time.
• Make the repository searchable and easily navigable.
• myPolicies helps you do all this and more.

Enforce data policies to promote consistency of business processes

Data policies are short statements that seek to manage the creation, acquisition, integrity, security, compliance, and quality of data. These policies vary amongst organizations, depending on your specific data needs.

• Policies describe what to do, while standards and procedures describe how to do something.
• There should be few data policies, and they should be brief and direct. Policies are living documents and should be continuously updated to respond to the organization’s data needs.
• The data policies should highlight who is responsible for the data under various scenarios and rules around how to manage it effectively.

Examples of Data Policies

Trust

• Data Cleansing and Quality Policy
• Data Entry Policy

Availability

• Acceptable Use Policy
• Data Backup Policy

Security

• Data Security Policy
• Password Policy Template
• User Authorization, Identification, and Authentication Policy Template
• Data Protection Policy

Compliance

• Archiving Policy
• Data Classification Policy
• Data Retention Policy

Leverage data management-related policies to standardize your data management practices

Info-Tech’s Data Management Policy:

This policy establishes uniform data management standards and identifies the shared responsibilities for assuring the integrity of the data and that it efficiently and effectively serves the needs of the organization. This policy applies to all critical data and to all staff who may be creators and/or users of such data.

Info-Tech’s Data Entry Policy:

The integrity and quality of data and evidence used to inform decision making is central to both the short-term and long-term health of an organization. It is essential that required data be sourced appropriately and entered into databases and applications in an accurate and complete manner to ensure the reliability and validity of the data and decisions made based on the data.

Info-Tech’s Data Provenance Policy:

Create policies to keep your data's value, such as:

• Only allow entry of data from reliable sources.
• Employees entering and accessing data must observe requirements for capturing/maintaining provenance metadata.
• Provenance metadata will be used to track the lifecycle of data from creation through to disposal.

Info-Tech’s Data Integration and Virtualization Policy:

This policy aims to assure the organization, staff, and other interested parties that data integration, replication, and virtualization risks are taken seriously. Staff must use the policy (and supporting guidelines) when deciding whether to integrate, replicate, or virtualize data sets.

Select the right mix of metrics to successfully supervise data policies and processes

Policies are only as good as your level of compliance. Ensure supervision controls exist to oversee adherence to policies and procedures.

Although they can be highly subjective, metrics are extremely important to data governance success.

• Establishing metrics that measure the performance of a specific process or data set will:
  • Create a greater degree of ownership from data stewards and data owners.
  • Help identify underperforming individuals.
  • Allow the steering committee to easily communicate tailored objectives to individual data stewards and owners.
• Be cautious when establishing metrics. The wrong metrics can have negative repercussions.
  • They will likely draw attention to an aspect of the process that doesn’t align with the initial strategy.
  • Employees will work hard and grow frustrated as their successes aren’t accurately captured.

Policies are great to have from a legal perspective, but unless they are followed, they will not benefit the organization.

• One of the most useful metrics for policies is currency. This tracks how up to date the policy is and how often employees are informed about the policy. Often, a policy will be introduced and then ignored. Policies must be continuously reviewed by management and employees.
• Some other metrics include adherence (including performance in tests for adherence) and impacts from non-adherence.

Review metrics on an ongoing basis with those data owners/stewards who are accountable, the data governance steering committee, and the executive sponsors.

Establish data standards and procedures for use across all organizational lines of business

A data governance program will impact all data-driven business units within the organization.

• Data management procedures are the methods, techniques, and steps to accomplish a specific data objective. Creating standard data definitions should be one of the first tasks for a data governance steering committee.
• Data moves across all departmental boundaries and lines of business within the organization. These definitions must be developed as a common set of standards that can be accepted and used enterprise wide.
• Consistent data standards and definitions will improve data flow across departmental boundaries and between lines of business.
• Ensure these standards and definitions are used uniformly throughout the organization to maintain reliable and useful data.

Data standards and procedural guidelines will vary from company to company.

Examples include:

• Data modeling and architecture standards.
• Metadata integration and usage procedures.
• Data security standards and procedures.
• Business intelligence standards and procedures.

Info-Tech Tip

Have a fundamental data definition model for the entire business to adhere to. Those in the positions that generate and produce data must follow the common set of standards developed by the steering committee and be accountable for the creation of valid, clean data.

Changes to organizational data processes are inevitable; have a communications plan in place to manage change

Create awareness of your data governance program, using knowledge transfer to get as many people on board as possible.

By planning for and efficiently communicating any changes that a data governance initiative may bring, many initial issues can be resolved from the outset.

Governance recommendations will require significant business change. The redesign of a substantial number of data processes affecting various business units will require an overhaul of the organization’s culture, thought processes, and procedures surrounding its data. Preparing people for change well in advance will allow them to take the necessary steps to adapt and reduce potential confrontation.

Because a data governance initiative will involve data-driven business units across the organization, the governance team must present a compelling case for data governance to ensure acceptance of new processes, rules, guidelines, and technologies by all data producers and users.

Attempting to implement change without an effective communications plan can result in disagreements over data control and stalemates between stakeholder units. The recommendations of the governance group must reflect the needs of all stakeholders or there will be pushback.

Data governance initiatives will very likely bring about a level of organizational disruption. A clear and concise communications strategy that conveys milestones and success stories will address the various concerns that business unit stakeholders may have.

Info-Tech Tip

Launching a data governance program will bring with it a level of disruption to the culture of the organization. That disruption doesn’t have to be detrimental if you are prepared to manage the change proactively and effectively.

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Build Your Business and User Context

Work with your core team of stakeholders to build out your data governance strategy map, aligning data governance initiatives with business capabilities, value streams, and, ultimately, your strategic priorities.

Formulate a Plan to Get to Your Target State

Develop a data governance future state roadmap and plan based on an understanding of your current data governance capabilities, your operating environment, and the driving needs of your business.

Related Info-Tech Research

Build a Robust and Comprehensive Data Strategy

Key to building and fostering a data-driven culture.

Create a Data Management Roadmap

Streamline your data management program with our simplified framework.

The First 100 Days as CDO

Be the voice of data in a time of transformation.

Research Contributors

Bibliography

Alation. “The Alation State of Data Culture Report – Q3 2020.” Alation, 2020. Accessed 25 June 2021.

Allott, Joseph, et al. “Data: The next wave in forestry productivity.” McKinsey & Company, 27 Oct. 2020. Accessed 25 June 2021.

Bean, Randy. “Why Culture Is the Greatest Barrier to Data Success.” MIT Sloan Management Review, 30 Sept. 2020. Accessed 25 June 2021.

Brence, Thomas. “Overcoming the Operationalization Challenge with Data Governance at New York Life.” Informatica, 18 March 2020. Accessed 25 June 2021.

Bullmore, Simon, and Stuart Coleman. “ODI Inside Business – a checklist for leaders.” Open Data Institute, 19 Oct. 2020. Accessed 25 June 2021.

Canadian Institute for Health Information. “Developing and implementing accurate national standards for Canadian health care information.” Canadian Institute for Health Information. Accessed 25 June 2021.

Carruthers, Caroline, and Peter Jackson. “The Secret Ingredients of the Successful CDO.” IRM UK Connects, 23 Feb. 2017.

Dashboards. “Useful KPIs for Healthy Hospital Quality Management.” Dashboards. Accessed 25 June 2021.

Dashboards. “Why (and How) You Should Improve Data Literacy in Your Organization Today.” Dashboards. Accessed 25 June 2021.

Datapine. “Healthcare Key Performance Indicators and Metrics.” Datapine. Accessed 25 June 2021.

Datapine. “KPI Examples & Templates: Measure what matters the most and really impacts your success.” Datapine. Accessed 25 June 2021.

Diaz, Alejandro, et al. “Why data culture matters.” McKinsey Quarterly, Sept. 2018. Accessed 25 June 2021.

Everett, Dan. “Chief Data Officer (CDO): One Job, Four Roles.” Informatica, 9 Sept. 2020. Accessed 25 June 2021.

Experian. “10 signs you are sitting on a pile of data debt.” Experian. Accessed 25 June 2021.

Fregoni, Silvia. “New Research Reveals Why Some Business Leaders Still Ignore the Data.” Silicon Angle, 1 Oct. 2020.

Informatica. Holistic Data Governance: A Framework for Competitive Advantage. Informatica, 2017. Accessed 25 June 2021.

Knight, Michelle. “What Is a Data Catalog?” Dataversity, 28 Dec. 2017. Web.

Lim, Jason. “Alation 2020.3: Getting Business Users in the Game.” Alation, 2020. Accessed 25 June 2021.

McDonagh, Mariann. “Automating Data Governance.” Erwin, 29 Oct. 2020. Accessed 25 June 2021.

NewVantage Partners. Data-Driven Business Transformation: Connecting Data/AI Investment to Business Outcomes. NewVantage Partners, 2020. Accessed 25 June 2021.

Olavsrud, Thor. “What is data governance? A best practices framework for managing data assets.” CIO.com, 18 March 2021. Accessed 25 June 2021.

Open Data Institute. “Introduction to data ethics and the data ethics canvas.” Open Data Institute, 2020. Accessed 25 June 2021.

Open Data Institute. “The UK National Data Strategy 2020: doing data ethically.” Open Data Institute, 17 Nov. 2020. Accessed 25 June 2021.

Open Data Institute. “What is the Data Ethics Canvas?” Open Data Institute, 3 July 2019. Accessed 25 June 2021.

Pathak, Rahul. “Becoming a Data-Driven Enterprise: Meeting the Challenges, Changing the Culture.” MIT Sloan Management Review, 28 Sept. 2020. Accessed 25 June 2021.

Redman, Thomas, et al. “Only 3% of Companies’ Data Meets Basic Quality Standards.” Harvard Business Review. 11 Sept 2017.

Petzold, Bryan, et al. “Designing data governance that delivers value.” McKinsey & Company, 26 June 2020. Accessed 25 June 2021.

Smaje, Kate. “How six companies are using technology and data to transform themselves.” McKinsey & Company, 12 Aug. 2020. Accessed 25 June 2021.

Talend. “The Definitive Guide to Data Governance.” Talend. Accessed 25 June 2021.

“The Powerfully Simple Modern Data Catalog.” Atlan, 2021. Web.

U.S. Geological Survey. “Data Management: Data Standards.” U.S. Geological Survey. Accessed 25 June 2021.

Waller, David. “10 Steps to Creating a Data-Driven Culture.” Harvard Business Review, 6 Feb. 2020. Accessed 25 June 2021.

“What is the Difference Between A Business Glossary, A Data Dictionary, and A Data Catalog, and How Do They Play A Role In Modern Data Management?” Analytics8, 23 June 2021. Web.

Wikipedia. “RFM (market research).” Wikipedia. Accessed 25 June 2021.

Windheuser, Christoph, and Nina Wainwright. “Data in a Modern Digital Business.” Thoughtworks, 12 May 2020. Accessed 25 June 2021.

Wright, Tom. “Digital Marketing KPIs - The 12 Key Metrics You Should Be Tracking.” Cascade, 3 March 2021. Accessed 25 June 2021.

Secure Operations in High-Risk Jurisdictions

Assessments often omit jurisdictional risks. Are your assets exposed?

EXECUTIVE BRIEF

Analyst Perspective

Operations in high-risk jurisdictions face unique security scenarios.

Michel Hébert

Research Director

Security and Privacy

Info-Tech Research Group

Alan Tang

Principal Research Director

Security and Privacy

Info-Tech Research Group

Traditional approaches to security strategies may miss key risk scenarios that critical assets face in high-risk jurisdictions. These include high-risk travel, heightened insider threats, advanced persistent threats, and complex compliance environments. Most organizations have security strategies and risk management practices in place, but securing global operations requires its own effort. Assess the security risk that global operations pose to critical assets. Consider the unique assets, threats, and vulnerabilities that come with operations in high-risk jurisdictions. Focus on the business activities you support and integrate your insights with existing risk management practices to ensure the controls you propose get the visibility they need. Your goal is to build a plan that mitigates the unique security risks that global operations pose and secures critical assets in high-risk areas. Don’t leave security to chance.

Executive Summary

Your Challenge

• Security leaders who support operations in many countries struggle to mitigate security risks to critical assets. Operations in high-risk jurisdictions contend with complex threat environments and security risk scenarios that often require a unique response.
• Security leaders need to identify critical assets, assess vulnerabilities, catalog threats, and identify the security controls necessary to mitigate related operational risks.

Common Obstacles

• Securing operations in high-risk jurisdictions requires additional due diligence. Each jurisdiction involves a different risk context, which complicates efforts to identify, assess, and mitigate security risks to critical assets.
• Security leaders need to engage the organization with the right questions and identify high-risk vulnerabilities and security risk scenarios to help stakeholders make an informed decision about how to assess and treat the security risks they face in high-risk jurisdictions.

Info-Tech’s Approach

Info-Tech has developed an effective approach to protecting critical assets in high-risk jurisdictions.

This approach includes tools for:

• Evaluating the security context of your organization’s high-risk jurisdictions.
• Identifying security risk scenarios unique to high-risk jurisdictions and assessing the exposure of critical assets.
• Planning and executing a response.

Info-Tech Insight

Organizations with global operations must contend with a more diverse set of assets, threats, and vulnerabilities when they operate in high-risk jurisdictions. Security leaders need to take additional steps to secure operations and protect critical assets.

Business operations in high-risk jurisdictions face a more complex security landscape

Information security risks to business operations vary widely by region.

The 2022 Allianz Risk Barometer surveyed 2,650 business risk specialists in 89 countries to identify the most important risks to operations. The report identified cybercrime, IT failures, outages, data breaches, fines, and penalties as the most important global business risks in 2022, but their results varied widely by region. The standout finding of the 2022 Allianz Risk Barometer is the return of security risks as the most important threat to business operations. Security risks will continue to be acute beyond 2022, especially in Africa, the Middle East, Europe, and the Asia-Pacific region, where they will dwarf risks of supply chain interruptions, natural catastrophe, and climate change.

Global operations in high-risk jurisdictions contend with more diverse threats. These security risk scenarios are not captured in traditional security strategies.

Figures represent the number of cybersecurity risks business risk specialists selected as a percentage of all business risks (Allianz, 2022). Higher scores indicate jurisdictions with higher security-related business risks. Jurisdictions without data are in grey.

Different jurisdictions’ commitment to cybersecurity also varies widely, which increases security risks further

The Global Cybersecurity Index (GCI) provides insight into the commitment of different countries to cybersecurity.

The index assesses a country’s legal framework to identify basic requirements that public and private stakeholders must uphold and the legal instruments prohibiting harmful actions.

The 2020 GCI results show overall improvement and strengthening of the cybersecurity agenda globally, but significant regional gaps persist. Of the 194 countries surveyed:

• 33% had no data protection legislation.
• 47% had no breach notification measures in place.
• 50% had no legislation on the theft of personal information.
• 19% still had no legislation on illegal access.

Not every jurisdiction has the same commitment to cybersecurity. Protecting critical assets in high-risk jurisdictions requires additional due diligence.

The diagram sets out the score and rank for each country that took part in the Global Cybersecurity Index (ITU, 2021)

Higher scores show jurisdictions with a lower rank on the CGI, which implies greater risk. Jurisdictions without data are in grey.

Securing critical assets in high-risk jurisdictions requires additional effort

Traditional approaches to security strategy may miss these key risk scenarios.

As a result, security leaders who support operations in many countries need to take additional steps to mitigate security risks to critical assets.

Guide stakeholders to make informed decisions about how to assess and treat the security risks and secure operations.

• Engage the organization with the right questions.
• Identify critical assets and assess vulnerabilities.
• Catalogue threats and build risk scenarios.
• Identify the security controls necessary to mitigate risks.

Work with your organization to analyze the threat landscape, assess security risks unique to high-risk jurisdictions, and execute a response to mitigate them.

This project blueprint works through this process using the two most prevalent risk scenarios in high-risk jurisdictions: high-risk travel and compliance risk.

Key Risk Scenarios

• High-Risk Travel
• Compliance Risk
• Insider Threat
• Advanced Persistent Threat
• Commercial Surveillance

Travel risk is the first scenario we use as an example throughout the blueprint

• This project blueprint outlines a process to identify, assess, and mitigate key risk scenarios in high-risk jurisdictions. We use two common key risk scenarios as examples throughout the deck to illustrate how you create and assess your own scenarios.
• Supporting high-risk travel is the first scenario we will study in-depth as an example. Business growth, service delivery, and mergers and acquisitions can lead end users to travel to high-risk jurisdictions where staff, devices, and data are at risk.
• Compromised or stolen devices can provide threat actors with access to data that could compromise the organization’s strategic, economic, or competitive advantage or expose the organization to regulatory risk.

The project blueprint includes template guidance in Phase 3 to help you build and deploy your own travel guidelines to protect critical assets and support end users before they leave, during their trip, and when they return.

Before you leave

• Identify high-risk countries.
• Enable controls.
• Limit what you pack.

During your trip

• Assume you are monitored.
• Limit access to systems.
• Prevent theft.

When you return

• Change your password.
• Restore your devices.

Compliance risk is the second scenario we use as an example

• Mitigating compliance risk is the second scenario we will study as an example in this blueprint. The legal and regulatory landscape is evolving rapidly to keep step with the pace of technological change. Security and privacy leaders are expected to mitigate the risk of noncompliance as the organization expands to new jurisdictions.
• Later sections will show how to think through at least four compliance risks, including:
  • Cross-border data transfer
  • Third-party risk management
  • Data breach notification
  • Data residency

The project blueprint includes template guidance in Phase 3 to help you deploy your own compliance governance controls as a risk mitigation measure.

Secure Operations in High-Risk Jurisdictions: Info-Tech’s methodology

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Business Security Requirements

Identify the context for the global security risk assessment, including risk appetite and risk tolerance.

Jurisdictional Risk Register and Heatmap

Identify critical global assets and the threats they face in high-risk jurisdictions and assess exposure.

Mitigation Plan

Roadmap of initiatives and security controls to mitigate global risks to critical assets. Tools and templates to address key security risk scenarios.

Key deliverable:

Jurisdictional Risk Register and Heatmap

Use the Jurisdictional Risk Register and Heatmap Tool to capture information security risks to critical assets in high-risk jurisdictions. The tool generates a world chart that illustrates the risks global operations face to help you engage the business and execute a response.

Blueprint benefits

Protect critical assets in high-risk jurisdictions

IT Benefits

Assess and remediate information security risk to critical assets in high-risk jurisdictions.

Easily integrate your risk assessment with enterprise risk assessments to improve communication with the business.

Illustrate key information security risk scenarios to make the case for action in terms the business understands.

Business Benefits

Develop mitigation plans to protect staff, devices, and data in high-risk jurisdictions.

Support business growth in high-risk jurisdictions without compromising critical assets.

Mitigate compliance risk to protect your organization’s reputation, avoid fines, and ensure business continuity.

Quantify the impact of securing global operations

The tool included with this blueprint can help you measure the impact of implementing the research

• Use the Jurisdictional Risk Register and Heatmap Tool to describe the key risk scenarios you face, assess their likelihood and impact, and estimate the cost of mitigating measures. Working through the project in this way will help you quantify the impact of securing global operations.

Establish Baseline Metrics

• Review existing information security and risk management metrics and the output of the tools included with the blueprint.
• Identify metrics to measure the impact of your risk management efforts. Focus specifically on high-risk jurisdictions.
• Compare your results with those in your overall security and risk management program.

Info-Tech offers various levels of support to best suit your needs.

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical GI on this topic look like?

Phase 1

Call #1: Scope project requirements, determine assessment scope, and discuss challenges.

Phase 2

Call #2: Conduct initial risk assessment and determine risk tolerance.

Call #3: Evaluate security pressures in high-risk jurisdictions.

Call #4: Identify risks in high-risk jurisdictions.

Call #5: Assess risk exposure.

Phase 3

Call #6: Treat security risks in high-risk jurisdictions.

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

Workshop Overview

Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

No safe jurisdictions

Stakeholders sometimes ask information security and privacy leaders to produce a list of safe jurisdictions from which to operate. We need to help them see that there are no safe jurisdictions, only relatively risky ones. As you build your security program, deepen the scope of your risk assessments to include risk scenarios critical assets face in different jurisdictions. These risks do not need to rule out operations, but they may require additional mitigation measures to keep staff, data, and devices safe and reduce potential reputational harms.

Traditional approaches to security strategy often omit jurisdictional risks.

Global operations must contend with a more complex security landscape. Secure critical assets in high-risk jurisdictions with a targeted risk assessment.

The two greatest risks are high-risk travel and compliance risk.

You can mitigate them with small adjustments to your security program.

Support High-Risk Travel

When securing travel to high-risk jurisdictions, you must consider personnel safety as well as data and device security. Put measures and guidelines in place to protect them before, during, and after travel.

Mitigate Compliance Risk

Think through data residency requirements, data breach notification, cross-border data transfer, and third-party risks to support business growth and mitigate compliance risks in high-risk jurisdictions to protect your organization’s reputation and avoid hefty fines or business disruptions.

Phase 1

Identify Context

This phase will walk you through the following activities:

• Assess business requirements to understand the goals of the organization’s global operations, as well as its risk governance, policies, and practices.
• Evaluate jurisdictional security pressures to understand threats to critical assets and capture the expectations of external stakeholders, including customers, regulators, legislators, and business partners, and assess risk tolerance.

This phase involves the following participants:

• Business stakeholders
• IT leadership
• Security team
• Risk and Compliance

Step 1.1

Assess Business Requirements

Activities

1.1.1 Determine assessment scope

1.1.2 Identify enterprise goals in high-risk jurisdictions

1.1.3 Identify compliance obligations

This step involves the following participants:

• Business stakeholders
• IT leadership
• Security team
• Risk and Compliance

Outcomes of this step

• Assess business requirements to understand the goals of the organization’s global operations, as well as its risk governance, policies, and practices.

Focus the risk assessment on high-risk jurisdictions

Traditional approaches to information security strategy often miss threats to global operations

• Successful security strategies are typically sensitive to risks to different IT systems and lines of business.
• However, securing global operations requires additional focus on high-risk jurisdictions, considering what makes them unique.
• This first phase of the project will help you evaluate the business context of operations in high-risk jurisdictions, including:
  • Enterprise and security goals.
  • Lines of business, physical locations, and IT systems that need additional oversight.
  • Unique compliance obligations.
  • Unique risks and security pressures.
  • Organizational risk tolerance in high-risk jurisdictions.

Focus your risk assessment on the business activities security supports in high-risk jurisdictions and the unique threats they face to bridge gaps in your security strategy.

Identify jurisdictions with higher inherent risks

Your security strategy may not describe jurisdictional risk adequately.

• Security strategies list lines of business, physical locations, and IT systems the organization needs to secure and those whose security will depend on a third-party. You can find additional guidance on fixing the scope and boundaries of a security strategy in Phase 1 of Build an Information Security Strategy.
• However, security risks vary widely from one jurisdiction to another according to:
  • Active cyber threats.
  • Legal and regulatory frameworks.
  • Regional security and preparedness capabilities.
• Your first task is to identify high-risk jurisdictions to target for additional oversight.

Work closely with your enterprise risk management function.

Enterprise risk management functions are often tasked with developing risk assessments from composite sources. Work closely with them to complete your own assessment.

Countries at heightened risk of money laundering and terrorism financing are examples of high-risk jurisdictions. The Financial Action Task Force and the U.S. Treasury publish reports three times a year that identify Non-Cooperative Countries or Territories.

Develop a robust jurisdictional assessment

Design an intelligence collection strategy to inform your assessment

• Relying on a single source may lead you to miscalculate risk exposure and miss relevant factors. Use a range of internal, external, and outsourced resources to identify higher-risk jurisdictions.
• Focus your jurisdictional assessment on:
• Strategic intelligence, which sheds light on trends and motivations that affect the threat landscape. For instance:
• Countries that national law enforcement identifies as posing a higher travel risk
• Third-party assessments of business and cybersecurity risk by jurisdiction
• Third-party assessment of jurisdictional commitment to information security
• Tactical intelligence, which identifies the extent of incidents in each jurisdiction. For instance:
• Vendor report on % of security attacks by type and country
• You can find additional guidance on designing a threat intelligence collection strategy in Phase 2 of Integrate Threat Intelligence into your Security Operations.

Strategic Intelligence

White papers, briefings, reports. Audience: C-Suite, board members

Tactical Intelligence

Internal reports, vendor reports. Audience: Security leaders

Operational intelligence

Indicators of compromise. Audience: IT Operations

Operational intelligence focuses on machine-readable data used to block attacks, triage and validate alerts, and eliminate threats from the network. It becomes outdated in a matter of hours and is less useful for this exercise.

Determine travel risks to bolster your assessments

Not all locations and journeys will require the same security measures.

• Travel risks vary significantly according to destination, the nature of the trip, and traveler profile.
• Access to an up-to-date country risk rating system enables your organization and individual staff to quickly determine the overall level of risk in a specific country or location.
• Based on this risk rating, you can specify what security measures are required prior to travel and what level of travel authorization is appropriate, in line with the organization's security policy or travel security procedures.
• While some larger organizations can maintain their own country risk ratings, this requires significant capacity, particularly to obtain the necessary information to keep these regularly updated.
• It may be more effective for your organization to make use of the travel risk ratings provided by an external security information provider, such as a company linked to your travel insurance or travel booking service, if available.
• Alternatively, various open-source travel risk ratings are available via embassy travel sites or other website providers.

Without a flexible system to account for the risk exposures of different jurisdictions, staff may perceive measures as a hindrance to operations.

Develop a tiered risk rating

The example below outlines potential risk indicators for high-risk travel.

Ratings are formulated by assessing several types of risk, including conflict, political/civil unrest, terrorism, crime, and health and infrastructure risks.

1.1.1 Determine assessment scope

1 – 2 hours

1. As a group, brainstorm a list of high-risk jurisdictions to target for additional assessment. Write down as many items as possible to include in:

• Lines of business
• Physical locations
• IT systems

Pay close attention to elements of the assessment that are not in scope.

Download the Information Security Requirements Gathering Tool

Position your efforts in a business context

Securing critical assets in high-risk jurisdictions is a business imperative

• Many companies relegate their information security strategies to their IT department. Aside from the strain the choice places on a department that already performs many different functions, it wrongly implies that mitigating information security risk is simply an IT problem.
• Managing information security risks is a business problem. It requires that organizations identify their risk appetite, prioritize relevant threats, and define risk mitigation initiatives. Business leaders can only do these activities effectively in a context that recognizes the business and financial benefits of implementing protections.
• This is notably true of businesses with operations in many different countries. Each jurisdiction has its own set of security risks the organization must account for, as well as unique local laws and regulations that affect business operations.
• In high-risk jurisdictions, your efforts must consider the unique operational challenges your organization may not face in its home country. Your efforts to secure critical assets will be most successful if you describe key risk scenarios in terms of their impact on business goals.
• You can find additional guidance on assessing the business context of a security strategy in Phase 1 of Build an Information Security Strategy.

Do you understand the unique business context of operations in high-risk jurisdictions?

1.1.2 Identify business goals

Estimated Time: 1-2 hours

1. As a group, brainstorm the primary and secondary business goals of the organization. Focus your assessment on operations in high-risk jurisdictions you identified in Exercise 1.1.1. Review:

• Relevant corporate and IT strategies.
• The business goal definitions and indicator metrics in tab 2, “Goals Definition,” of the Information Security Requirements Gathering Tool.

Download the Information Security Requirements Gathering Tool

Record business goals

Capture the results in the Information Security Requirements Gathering Tool

1. Record the primary and secondary business goals you identified in tab 3, “Goals Cascade,” of the Information Security Requirements Gathering Tool.
2. Next, record the two security alignment goals you selected for each business goal based on the tool’s recommendations.
3. Finally, review the graphic diagram that illustrates your goals on tab 6, “Results,” of the Information Security Requirements Gathering Tool.
4. Revisit this exercise whenever operations expands to a new jurisdiction to capture how they contribute to the organization’s mission and vision and how the security program can support them.

Tab 3, Goals Cascade

Tab 6, Results

Analyze business goals

Assess how operating in multiple jurisdictions adds nuance to your business goals

• Security leaders need to understand the direction of the business to propose relevant security initiatives that support business goals in high-risk jurisdictions.
• Operating in different jurisdictions carries its own degree of risk. The organization is subject not only to the information security risks and legal frameworks of its country of origin but also to those associated with international jurisdictions.
• You need to understand where your organization operates and how these different jurisdictions contribute to your business goals to support their performance and protect the firm’s reputation.
• This exercise will make an explicit link between security and privacy concerns in high-risk jurisdictions, what the business cares about, and what security is trying to accomplish.

If the organization is considering a merger and acquisition project that will expand operations in jurisdictions with different travel risk profiles, the security organization needs to revise the security strategy to ensure the organization can support high-risk travel and mitigate risks to critical assets.

Identify compliance obligations

Data compliance obligations loom large in high-risk jurisdictions

Security leaders are familiar with most conventional regulatory obligations that govern financial, personal, and healthcare data in North America and Europe.

Data privacy concerns, nationalism, and the economic value of data are all driving jurisdictions to adopt data residency and data localization and to shut down the cross-border transfer of data.

The next step requires you to consider the compliance obligations the organization needs to meet to support the business as it expands to other jurisdictions through natural growth, mergers, and acquisitions.

1.1.3 Identify compliance obligations

Estimated Time: 1-2 hours

1. As a group, brainstorm compliance obligations in target jurisdictions. Focus your assessment on operations in high-risk jurisdictions.

Include:

• Laws
• Governing regulations
• Industry standards
• Contractual agreements

Download the Information Security Requirements Gathering Tool

Step 1.2

Evaluate Security Pressures

Activities

1.2.1 Conduct initial risk assessment

1.2.2 Conduct pressure analysis

1.2.3 Determine risk tolerance

This step involves the following participants:

• Security team
• Risk and Compliance
• IT leadership (optional)

Outcomes of this step

Identify threats to global assets and capture the security expectations of external stakeholders, including customers, regulators, legislators, and business partners, and determine risk tolerance.

Evaluate security pressures to set the risk context

Perform an initial assessment of high-risk jurisdictions to set the context.

Assess:

• The threat landscape.
• The security pressures from key stakeholders.
• The risk tolerance of your organization.

You should be able to find the information in your existing security strategy. If you don’t have the information, work through the next three steps of the project blueprint.

Some jurisdictions carry inherent risks

• Jurisdictional risks stem from legal, regulatory, or political factors that exist in different countries or regions. They can also stem from unexpected legal changes in regions where critical assets have exposure. Understanding jurisdictional risks is critical because they can require additional security controls.
• Jurisdictional risk tends to be higher in jurisdictions:
• Where the organization:
• Conducts high-value or high-volume financial transactions.
• Supports and manages critical infrastructure.
• Has high-cost data or data whose compromise could undermine competitive advantage.
• Has a high percentage of part-time employees and contractors.
• Experiences a high rate of employee turnover.
• Where state actors:
• Have a low commitment to cybersecurity, financial, and privacy legislation and regulation.
• Support cybercrime organizations within their borders.

Jurisdictional risk is often reduced to countries where money laundering and terrorist activities are high. In this blueprint, the term refers to the broader set of information security risks that arise when operating in a foreign country or jurisdiction.

Five key risk scenarios are most prevalent

Key Risk Scenarios

• High-Risk Travel
• Compliance Risk
• Insider Threat
• Advanced Persistent Threat
• Commercial Surveillance

Security leaders who support operations in many countries need to take additional steps to mitigate security risks to critical assets. The goal of the next two exercises is to analyze the threat landscape and security pressures unique to high-risk jurisdictions, which will inform the construction of key scenarios in Phase 2. These five scenarios are most prevalent in high-risk jurisdictions. Keep them in mind as you go through the exercises in this section.

1.2.1 Assess jurisdictional risk

1-3 hours

1. As a group, review the questions on tab 2, “Risk Assessment,” of the Information Security Pressure Analysis Tool.
2. Gather the required information from subject matter experts on the following risk elements with a focus on high-risk jurisdictions:
3. Review each question in tab 2 of the Information Security Pressure Analysis Tool and select the most appropriate response.

For more information on how to complete the risk assessment questionnaire, see Step 1.2.1 of Build an Information Security Strategy.

1.2.2 Conduct pressure analysis

1-3 hours

1. As a group, review the questions on tab 3, “Pressure Analysis,” of the Information Security Pressure Analysis Tool.
2. Gather the required information from subject matter experts on the following pressure elements with a focus on high-risk jurisdictions:

• Compliance and oversight
• Customer expectations
• Business expectations
• IT expectations

For more information on how to complete the pressure analysis questionnaire, see Step 1.3 of Build an Information Security Strategy.

A low security pressure means that your stakeholders do not assign high importance to information security. You may need to engage stakeholders with the right key risk scenarios to illustrate jurisdictional risk and generate support for new security controls.

Download the Information Security Pressure Analysis Tool

Assess risk tolerance

• Risk tolerance expresses the types and amount of risk the organization is willing to accept in pursuit of its goals.
• These expectations can help you identify, manage, and report on key risk scenarios in high-risk jurisdictions.
• For instance, an organization with a low risk tolerance will require a stronger information security program to minimize operational security risks.
• It’s up to business leaders to determine the risks they are willing to accept. They may need guidance to understand how system-level risks affect the organization’s ability to pursue its goals.

A formalized risk tolerance statement can help:

• Support risk-based security decisions that align with business goals.
• Provide a meaningful rationale for security initiatives.
• Improve the transparency of investments in the organization’s security program.
• Provide guidance for monitoring inherent risk and residual risk exposure.

The role of security professionals is to identify and analyze key risk scenarios that may prevent the organization from reaching its goals.

1.2.3 Determine risk tolerance

1-3 hours

1. As a group, review the questions on tab 4, “Risk Tolerance,” of the Information Security Pressure Analysis Tool.
2. Gather the required information from subject matter experts on the following risk tolerance elements:

• Recent IT problems, especially downtime and data recovery issues
• Historical security incidents

• Existing security strategy
• Business impact assessments
• Service-level agreements

For more information on how to complete the risk tolerance questionnaire, see Step 1.4 of Build an Information Security Strategy.

Download the Information Security Pressure Analysis Tool

Review the output of the results tab

• The organizational risk assessment provides a high-level assessment of inherent risks in high-risk jurisdictions. Use the results to build and assess key risk scenarios in Phase 2.
• Use the security pressure analysis to inform stakeholder management efforts. A low security pressure indicates that stakeholders do not yet grasp the impact of information security on organizational goals. You may need to communicate its importance before you discuss additional security controls.
• Jurisdictions in which organizations have a low risk tolerance will require stronger information security controls to minimize operational risks.

Phase 2

Assess Security Risks to Critical Assets

This phase will walk you through the following activities:

• Identify critical assets, their vulnerabilities to relevant threats, and the adverse impact a successful threat event would have on the organization.
• Assess risk exposure of critical assets in high-risk jurisdictions for each risk scenario through an analysis of its likelihood and impact.

This phase involves the following participants:

• Security team
• Risk and Compliance
• IT leadership (optional)

Step 2.1

Identify Risks

Activities

2.1.1 Identify assets

2.1.2 Identify threats

This step involves the following participants:

• Security team
• Risk and Compliance
• IT leadership (optional)

Outcomes of this step

• Define risk scenarios that identify critical assets, their vulnerabilities to relevant threats, and the adverse impact a successful threat event would have on the organization.

This blueprint focuses on mitigating jurisdictional risks

For a deeper dive into building a risk management program, see Info-Tech’s core project blueprints on risk management:

Build an IT Risk Management Program

Combine Security Risk Management Components Into One Program

Draft key risk scenarios to illustrate adverse events

Risk scenarios help decision-makers understand how adverse events affect business goals.

• Risk-scenario building is the process of identifying the critical factors that contribute to an adverse event and crafting a narrative that describes the circumstances and consequences if it were to happen.
• Risk scenarios set up the risk analysis stage of the risk assessment process. They are narratives that describe in detail:
• The asset at risk.
• The threat that can act against the asset.
• Their intent or motivation.
• The circumstances and threat actor model associated with the threat event.
• The potential effect on the organization.
• When or how often the event might occur.

Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.

Well-crafted risk scenarios have four components

The second phase of the project will help you craft meaningful risk scenarios

Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events. Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address and treat security risks in high-risk jurisdictions.

The next slides review five key risk scenarios prevalent in high-risk jurisdictions. Use them as examples to develop your own.

Travel to high-risk jurisdictions requires special measures to protect staff, devices, and data

Governmental, academic, and commercial advisors compile lists of jurisdictions that pose greater travel risks annually.

For instance, in the US, these lists might include countries that are:

• Subjects of travel warnings by the US Department of State.
• Identified as high risk by other US government sources such as:
• The Department of the Treasury Office of Foreign Assets Control (OFAC).
• The Federal Bureau of Investigation (FBI).
• The Office of the Director of National Intelligence (ODNI).
• Compiled from academic and commercial sources, such as Control Risks.

When securing travel to high-risk jurisdictions, you must consider personnel safety as well as data and device security.

The diagram presents high-risk jurisdictions based on US governmental sources (2021) listed on this slide.

High-risk travel

Likelihood: Medium

Impact: Medium

Key Risk Scenario #1

Malicious state actors, cybercriminals, and competitors can threaten staff, devices, and data during travel to high-risk jurisdictions. Device theft or compromise may occur while traveling through airports, accessing hotel computer and phone networks, or in internet cafés or other public areas. Threat actors can exploit data from compromised or stolen devices to undermine the organization’s strategic, economic, or competitive advantage. They can also infect compromised devices with malware that delivers malicious payloads once they reconnect with home networks.

Threat Actor:

• Malicious state actors
• Cybercriminals
• Competitors

Assets:

• Staff
• IT systems
• Sensitive data

Effect:

• Compromised staff health and safety
• Loss of data
• Lost of system integrity

Methods:

• Identify, steal, or target mobile devices.
• Compromise network, wireless, or Bluetooth connections.
• Leverage stolen devices as a means of infecting other networks.
• Access devices to track user location.
• Activate microphones on devices to collect information.
• Intercept electronic communications users send from high-risk jurisdictions.

The data compliance landscape is a jigsaw puzzle of data protection and data residency requirements

Since the EU passed the GDPR in 2016, jurisdictions have turned to data regulations to protect citizen data

Data privacy concerns, nationalism, and the economic value of data are all driving jurisdictions to adopt data residency, breach notification, and cross-border data transfer regulations. As 2021 wound down to a close, nearly all the world’s 30 largest economies had some form of data regulation in place. The regulatory landscape is shifting rapidly, which complicates operations as organizations grow into new markets or engage in merger and acquisition activities.

Global operations require special attention to data-residency requirements, data breach notification requirements, and cross-border data transfer regulations to mitigate compliance risk.

Compliance risk

Likelihood: Medium

Impact: High

Key Risk Scenario #2

Rapid changes in the privacy and security regulatory landscape threaten organizations’ ability to meet their compliance obligations from local legal and regulatory frameworks. Organizations risk reputational damage, administrative fines, criminal charges, and loss of market share. In extreme cases, organizations may lose their license to operate in high-risk jurisdictions. Shifts in the regulatory landscape can involve additional requirements for data residency, cross-border data transfer, data breach notification, and third-party risk management.

Threat Actor:

• Local, regional, and national state actors

Asset:

• Reputation, market share
• License to operate

Effect:

• Administrative fines
• Loss of reputation, brand trust, and consumer loyalty
• Loss of market share
• Suspension of business operations
• Lawsuits due to collective actions and claims
• Criminal charges

Methods:

• Shifts in the privacy and security regulatory landscape, including requirements for:
• Data residency.
• Cross-border data transfer.
• Data breach notification.
• Third-party security and privacy risk management.

The incidence of insider threats varies widely by jurisdiction in unexpected ways

On average, companies in North America, the Middle East, and Africa had the most insider incidents in 2021, while those in the Asia-Pacific region had the least.

The Ponemon Institute set out to understand the financial consequences that result from insider threats and gain insight into how well organizations are mitigating these risks.

In the context of this research, insider threat is defined as:

• Employee or contractor negligence.
• Criminal or malicious insider activities.
• Credential theft (imposter risk).

On average, the total cost to remediate insider threats in 2021 was US$15.4 million per incident.

In all regions, employee or contractor negligence occurred most frequently. Organizations in North America and in the Middle East and Africa were most likely to experience insider threat incidents in 2021.

The diagram represents the average number of insider incidents reported per organization in 2021. The results are analyzed in four regions (Ponemon Institute, 2022)

Insider threat

Likelihood: Low to Medium

Impact: High

Key Risk Scenario #3

Malicious insiders, negligent employees, and credential thieves can exploit inside access to information systems to commit fraud, steal confidential or commercially valuable information, or sabotage computer systems. Insider threats are difficult to identify, especially when security is geared toward external threats. They are often familiar with the organization’s data and intellectual property as well as the methods in place to protect them. An insider may steal information for personal gain or install malicious software on information systems. They may also be legitimate users who make errors and disregard policies, which places the organization at risk.

Threat Actor:

• Malicious insiders
• Negligent employees
• Infiltrators

Asset:

• Sensitive data
• Employee credentials
• IT systems

Effects:

• Loss of system integrity
• Loss of data confidentiality
• Financial loss

Methods:

• Infiltrators may compromise credentials.
• Malicious or negligent insiders may use corporate email to steal or share sensitive data, including:
  • Regulated data.
  • Intellectual property.
  • Critical business information.
• Malicious agents may facilitate data exfiltration, as well as open-port and vulnerability scans.

The risk of advanced persistent threats is more prevalent in Central and South America and the Asia-Pacific region

Attacks from advanced persistent threat (APT) actors are more sophisticated than traditional ones.

• More countries will use legal indictments as part of their cyber strategy. Exposing toolsets of APT groups carried out at the governmental level will drive more states to do the same.
• Expect APTs to increasingly target network appliances like VPN gateways as organizations continue to sustain hybrid workforces.
• The line between APTs and state-sanctioned ransomware groups is blurring. Expect cybercriminals to wield better tools, mount more targeted attacks, and use double-extortion tactics.
• Expect more disruption and collateral damage from direct attacks on critical infrastructure.

Top 10 Significant Threat Actors:

• Lazarus
• DeathStalker
• CactusPete
• IAmTheKing
• TransparentTribe
• StrongPity
• Sofacy
• CoughingDown
• MuddyWater
• SixLittleMonkeys

Top 10 Targets:

• Government
• Banks
• Financial Institutions
• Diplomatic
• Telecommunications
• Educational
• Defense
• Energy
• Military
• IT Companies

Top 12 countries targeted by APTs (Kaspersky, 2020)

Track notable APTs to revise your list of high-risk jurisdictions and review the latest tactics and techniques

Governmental advisors track notable APT actors that pose greater risks.

The CISA Shields Up site, SANS Storm Center site, and MITRE ATT&CK group site provide helpful and timely information to understand APT risks in different jurisdictions.

The following threat actors are currently associated with cyberattacks affiliated with the Russian government.

Sources: MITRE ATT&CK; Security Boulevard, 2022; Reuters, 2022; The Verge, 2022

Advanced persistent threat

Likelihood: Low to Medium

Impact: High

Key Risk Scenario #4

Advanced persistent threats are state actors or state-sponsored affiliates with the means to avoid detection by anti-malware software and intrusion detection systems. These highly-skilled and persistent malicious agents have significant resources with which to bypass traditional security controls, establish a foothold in the information technology infrastructure, and exfiltrate data undetected. APTs have the resources to adapt to a defender’s efforts to resist them over time. The loss of system integrity and data confidentiality over time can lead to financial losses, business continuity disruptions, and the destruction of critical infrastructure.

Threat Actor:

• State actors
• State-sponsored affiliates

Asset:

• Sensitive data
• IT systems
• Critical infrastructure

Effects:

• Loss of system integrity
• Loss of data confidentiality
• Financial loss
• Business continuity disruptions
• Infrastructure destruction

Methods:

• Persistent, consistent attacks using the most advanced threats and tactics to bypass security defenses.
• The goal of APTs is to maintain access to networks for prolonged periods without being detected.
• The median dwell time differs widely between regions. FireEye reported the mean dwell time for 2018:
  • Americas: 71 days
  • Europe, Middle East, and Africa: 177 days
  • Asia-Pacific: 204 days

Sources: Symantec, 2011; FireEye, 2019

Threat agents have deployed invasive technology for commercial surveillance in at least 76 countries since 2015

State actors and their affiliates purchased and used invasive spyware from companies in Europe, Israel, and the US.

• “Customers are predominantly repressive regimes looking for new ways to control the flow of information and stifle dissent. Less than 10% of suspected customers are considered full democracies by the Economist Intelligence Unit.” (Top10VPN, 2021)
• Companies based in economically developed and largely democratic states are profiting off the technology.
• The findings demonstrate the need to consider geopolitical realities when assessing high-risk jurisdictions and to take meaningful action to increase layered defenses against invasive malware.
• Spyware is having an increasingly well-known impact on civil society. For instance, since 2016, over 50,000 individual phone numbers have been identified as potential targets by NSO Group, the Israeli manufacturers of the notorious Pegasus Spyware. The target list contained the phone numbers of politicians, journalists, activists, doctors, and academics across the world.
• The true number of those affected by spyware is almost impossible to determine given that many fall victim to the technology and do not notice.

Countries where commercial surveillance tools have been deployed (“Global Spyware Market Index,” Top10VPN, 2021)

The risks and effects of spyware vary greatly

Spyware can steal mundane information, track a user’s every move, and everything in between.

Adware

Software applications that display advertisements while the program is running.

Keyboard Loggers

Applications that monitor and record keystrokes. Malicious agents use them to steal credentials and sensitive enterprise data.

Trojans

Applications that appear harmless but inflict damage or data loss to a system.

Mobile Spyware

Surveillance applications that infect mobile devices via SMS or MMS channels, though the most advanced can infect devices without user input.

State actors and their affiliates use system monitors to track browsing habits, application usage, and keystrokes and capture information from devices’ GPS location data, microphone, and camera. The most advanced system monitor spyware, such as NSO Group’s Pegasus, can infect devices without user input and record conversations from end-to-end encrypted messaging systems.

Commercial surveillance

Likelihood: Low to Medium

Impact: Medium

Key Risk Scenario #5

Malicious agents can deploy malware on end-user devices with commercial tools available off the shelf to secretly monitor the digital activity of users. Attacks exploit widespread vulnerabilities in telecommunications protocols. They occur through email and text phishing campaigns, malware embedded in untested applications, and sophisticated zero-click attacks that deliver payloads without requiring user interactions. Attacks target sensitive as well as mundane information. They can be used to track employee activities, investigate criminal activity, or steal credentials, credit card numbers, or other personally identifiable information.

Threat Actor:

• State actors
• State-sponsored affiliates

Asset:

• Sensitive data
• Staff health and safety
• IT systems

Effects:

• Data breaches
• Loss of data confidentiality
• Increased risk to staff health and safety
• Misuse of private data
• Financial loss

Methods:

• Email and text phishing attacks that delivery malware payloads
• Sideloading untested applications from a third-party source rather than an official retailer
• Sophisticated zero-click attacks that deliver payloads without requiring user interaction

Use the Jurisdictional Risk Register and Heatmap Tool

The tool included with this blueprint can help you draft risk scenarios and risk statements in this section.

The risk register will capture a list of critical assets and their vulnerabilities, the threats that endanger them, and the adverse effect your organization may face.

Download the Jurisdictional Risk Register and Heatmap Tool

2.1.1 Identify assets

1 – 2 hours

1. As a group, consider critical or mission-essential functions in high-risk jurisdictions and the systems on which they depend. Brainstorm a list of the organization’s mission-supporting assets in high-risk jurisdictions. Consider:

• Staff
• Critical IT systems
• Sensitive data
• Critical operational processes

• Information systems.
• Sensitive or regulated data.
• Staff health and safety.
• Critical operations and objectives.
• Organizational finances.
• Reputation and brand loyalty