Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

Change your focus from satisfying auditors to driving process optimization, consistent IT operations, and effective knowledge transfer.

Project Outline

ANALYST PERSPECTIVE

Do your SOPs drive process optimization?

"Most organizations struggle to document and maintain SOPs as required, leading to process inconsistencies and inefficiencies. These breakdowns directly impact the performance of IT operations. Effective SOPs streamline training and knowledge transfer, improve transparency and compliance, enable automation, and ultimately decrease costs as processes improve and expensive breakdowns are avoided. Documenting SOPs is not just good practice; it directly impacts IT efficiency and your bottom line."

Frank Trovato, Senior Manager, Infrastructure Research Info-Tech Research Group

Our understanding of the problem

This Research Is Designed For:

• IT Process Owners
• IT Infrastructure Managers
• IT Service Managers
• System Administrators
• And more…

This Research Will Help You:

• Identify, prioritize, and document SOPs for critical business processes.
• Discover opportunities for overall process optimization by documenting SOPs.
• Develop documentation best practices that support ongoing maintenance and review.

This Research Will Also Assist:

• CTOs
• Business unit leaders

This Research Will Help Them:

• Understand the need for and value of documenting SOPs in a usable format.
• Help set expectations around documentation best practices.
• Extend IT best practices to other parts of the business.

Executive summary

Situation

• Most organizations know it is good practice to have SOPs as it improves consistency, facilitates process improvement, and contributes to efficient operations.
• Though the benefits are understood, many organizations don't have SOPs and those that do don't maintain them.

Complication

• Writing SOPs is the last thing most people want to do, so the work gets pushed down the priority list and the documents become dated.
• Promoting the use of SOPs can also face staff resistance as the documentation is seen as time consuming to develop and maintain, too convoluted to be useful, and generally out of date.

Resolution

• Overcome staff resistance while implementing a sustainable SOP documentation approach by doing the following:
• Create visual documents that can be scanned. Flowcharts, checklists, and diagrams are quicker to create, take less time to update, and are ultimately more usable than a dense manual.
• Use simple, but effective document management practices.
• Make SOPs part of your project deliverables rather than an afterthought. That includes checking documentation status as part of your change management process.
• Extend these principles to other areas of IT and business processes. The survey data and examples in this report include application development and business processes as well as IT operations.

Info-Tech Insight

1. Create visual documents, not dense SOP manuals.
2. Start with high-impact SOPs. Identify the most critical undocumented SOPs and document them first.
3. Integrate SOP creation into project requirements and create SOP approval steps to ensure documentation is reviewed and completed in a timely fashion.

Most organizations struggle to create and maintain SOP documents, especially in North America, despite the benefits

North American companies are traditionally more technology focused than process focused, and that is reflected in the approach to documenting SOPs.

• An ad hoc approach to SOPs almost certainly means documents will be out of date and ineffective. The same is also true when updating SOPs as part of periodic concerted efforts to prepare for an audit, annual review, or certification process, and this makes the task more imposing.
• Incorporating SOP updates as part of regular change management processes ensures documents are up to date and usable. This can also make reviews and audits much more manageable.

'It isn’t unusual for us to see infrastructure or operations documentation that is wildly out of date. We’re talking months, even years. Often it was produced as one big effort and then not reliably maintained.'

– Gary Patterson, Consultant, Quorum Resources

Organizations are most likely to update documents on an ad hoc basis or via periodic formal reviews. Less than 25% keep SOPs updated as needed.

Source: Info-Tech Research Group; N=104

Document SOPs to improve knowledge transfer, optimize processes, and ultimately save money

COBIT, ISO, and ITIL aren’t a complete solution

"Being ITIL and ISO compliant hasn’t solved our documentation problem. We’re still struggling."

– Vendor Relationship Manager, Financial Services Industry

• Adopting a framework such as ITIL, COBIT, or ISO doesn’t always mean that SOP documents are accurate, effective, or up to date.
• Although these frameworks emphasize the importance of documenting processes, they tend to focus more on process development and requirements than on actual documentation. In other words, they deal more with what needs to be done than with how to do it.
• This research will focus more on the documentation process itself – so how to go about creating, updating, optimizing, managing, and distributing SOP documents.

Inadequate SOPs lead to major data loss and over $99,000 in recovery costs

CASE STUDY 1

Company A mid-sized US organization with over 1,000 employees

Source Info-Tech Interview

Situation

• IT supports storage nodes replicated across two data centers. SOPs for backup procedures did not include an escalation procedure for failed backups or a step to communicate successful backups. Management was not aware of the issue and therefore could not address it before a failure occurred.

Incident

• Primary storage had a catastrophic failure, and that put pressure on the secondary storage, which then also failed. All active storage failed and the data corrupted. Daily backups were failing due to lack of disk space on the backup device. The organization had to resort to monthly tape backups.

Impact

• Lost 1 month of data (had to go back to the last tape backup).
• Recovery also took much longer because recovery procedures were also not documented.
• Key steps such as notifying impacted customers were overlooked. Customers were left unhappy not only with the outage and data loss but also the lack of communication.

Intangible costs

High “goodwill” impact for internal staff and customers.

"The data loss pointed out a glaring hole in our processes – the lack of an escalation procedure. If I knew backups weren’t being completed, I would have done something about that immediately."

– Senior Division Manager, Information Technology Division

IT services company optimizes its SOPs using “Lean” approach

CASE STUDY 2

Company Atrion

SourceInfo-Tech Interview

Lean and SOPs

• Standardized work is important to Lean’s philosophy of continuous improvement. SOPs allow for replication of the current best practices and become the baseline standard for member collaboration toward further improvements.
• For more on Lean’s approach to SOPs, see “Lean Six Sigma Quality Transformation Toolkit (LSSQTT) Tool #17.”

Atrion’s approach

• Atrion is focused on documenting high-level processes that improve the client and employee experience or which can be used for training.
• Cross-functional teams collaborate to document a process and find ways to optimize that SOP.
• Atrion leverages visual documentation as much as possible: flowcharts, illustrations, video screen captures, etc.

Outcomes

• Large increase in usable, up-to-date documentation.
• Process and efficiency improvements realized and made repeatable.
• Success has been so significant that Atrion is planning to offer SOP optimization training and support as a service for its clients in the future.

Atrion

• Atrion provides IT services, solutions, and leadership to clients in the 250+ user range.
• After adopting the Lean framework for its organization, it has deliberately focussed on optimizing its documentation.

When we initiated a formal process efficiency program a little over a year ago and began striving towards a culture of continuous improvement, documenting our SOPs became key. We capture how we do things today and how to make that process more efficient. We call it current state and future state mapping of any process.

– Michelle Pope, COO, Atrion Networking Corp.

Strategies to overcome common documentation challenges

Use Info-Tech’s methodology to streamline the SOP documentation process.

Use this blueprint as a building block to complete these other Info-Tech projects

Improve IT-Business Alignment Through an Internal SLA

Understand business requirements, clarify capabilities, and close gaps.

Standardize the Service Desk – Module 2 & 3

Improve reporting and management of incidents and build service request workflows.

Create a Right-Sized Disaster Recovery Plan

Define appropriate objectives for DR, build a roadmap to close gaps, and document your incident response plan.

Extend the Service Desk to the Enterprise

Position IT as an innovator.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Create Visual SOP Documents – project overview

Workshop overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Measured value for Guided Implementations (GIs)

Engaging in GIs doesn’t just offer valuable project advice, it also results in significant cost savings.

Note: Documenting SOPs provides additional benefits that are more difficult to quantify: reducing the time spent by staff to find or execute processes, improving transparency and accountability, presenting opportunities for automation, etc.

Phase 1

Prioritize, Optimize, and Document Critical SOPs

Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

Phase 1 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 1: Prioritize, optimize, and document critical SOPs

Proposed Time to Completion (in weeks): 2 weeks

Step 1.1: Prioritize SOPs

Start with an analyst kick off call:

• Apply a client focus to critical IT services.
• Identify undocumented, critical SOPs.

Then complete these activities…

• Rank and prioritize your SOP documentation needs.

With this template:

Standard Operating Procedures Workbook

Step 1.2: Develop visual documentation

Review findings with analyst:

• Understand the benefits of a visual approach.
• Review possibilities for visual documentation.

Then complete these activities…

• Identify formats that can improve your SOP documentation.

With these templates:

• Example DRP Process Flows
• Example App Dev Process And more…

Step 1.3: Optimize and document critical processes

Finalize phase deliverable:

• Two visual SOP documents, mapped using a tabletop exercise.

Then complete these activities…

• Create the visual SOP.
• Review and optimize the process.

With this tool:

SOP Project Roadmap Tool

Phase 1 Results & Insights:

Identify opportunities to deploy visual documentation, and follow Info-Tech’s process to capture steps, gaps, and opportunities to improve IT processes.

Focus first on client-facing and high-impact SOPs

IT’s number one obligation to internal and external customers is to keep critical services running – that points to mission-critical operations, service management, and disaster recovery.

Understand what makes an application or service mission critical

When email or a shared drive goes down, it may impact productivity, but may not be a significant impact to the business. Ask these questions when assessing whether an application or service is mission critical.

"Email and other Windows-based applications are important for our day-to-day operations, but they aren’t critical. We can still manufacture and ship clothing without them. However, our manufacturing systems, those are absolutely critical"

– Bob James, Technical Architect, Carhartt, Inc.

Create a high-level risk and benefit scale

1.1a

15 minutes

Define criteria for high, medium, and low risks and benefits, as shown in the example below. These criteria will be used in the upcoming exercises to rank SOPs.

Note: The goal in this section is to provide high-level indicators of which SOPs should be documented first, so a high-level set of criteria is used. To conduct a detailed business impact analysis, see Info-Tech’s Create a Right-Sized Disaster Recovery Plan.

Materials

• Whiteboard

Participants

• Process Owners
• SMEs

Identify and prioritize undocumented mission-critical operations

1.1b

15 minutes

1. To navigate to this exercise, open Info-Tech’s Standard Operating Procedures Workbook.
2. List your top three–five mission critical applications or services.
3. Identify relevant SOPs that support those applications or services.
4. Indicate SOP status: Green = up to date and complete, Yellow = out-of-date or incomplete, Red = undocumented.
5. Assign risk and benefit scores (3=high, 1=low) to Yellow and Red SOPs based on potential impact if those processes failed (risk) and opportunity for process improvement (benefit).

OUTPUT

• Analysis of SOPs supporting mission-critical operations

Materials

• Whiteboard

Participants

• Process Owners
• SMEs

Identify and prioritize undocumented service management procedures

1.1c

15 minutes

1. To navigate to this exercise, open Info-Tech’s Standard Operating Procedures Workbook.
2. Identify service management SOPs.
3. Indicate SOP status: Green = up to date and complete, Yellow = out-of-date or incomplete, Red = undocumented.
4. Assign risk and benefit scores (3=high, 1=low) to Yellow and Red SOPs based on potential impact if those processes failed (risk) and opportunity for process improvement (benefit).

OUTPUT

• Analysis of SOPs supporting service management

Materials

• Whiteboard

Participants

• Process Owners
• SMEs

Identify and prioritize undocumented DR procedures

1.1d

20 minutes

1. To navigate to this exercise, open Info-Tech’s Standard Operating Procedures Workbook.
2. Identify DR SOPs.
3. Indicate SOP status: Green = up to date and complete, Yellow = out-of-date or incomplete, Red = undocumented.
4. Assign risk and benefit scores (3=high, 1=low) to Yellow and Red SOPs based on potential impact if those processes failed (risk) and opportunity for process improvement (benefit).

OUTPUT

• Analysis of SOPs supporting DR

Materials

• Whiteboard

Participants

• Process Owners
• SMEs

Select the SOPs to focus on for the first round of documentation

1.1e

20 minutes

1. Identify two significantly different priority 1 SOPs to document during this workshop. It’s important to get a sense of how the Info-Tech templates and methodology can be applied to different types of SOPs.
2. Rank the remaining SOPs that you still need to address post-workshop by priority level within each topic area.

INPUT

• SOP analysis from activities 1.1 and 1.2

OUTPUT

• A shortlist of critical, undocumented SOPs to review later in this phase

Materials

• Whiteboard

Participants

• Process Owners
• SMEs

Change the format of your documentation

Which document is more effective? Which is more likely to be used?

"The end result for most SOPs is a 100-page document that makes anyone but the author want to stab themselves rather than read it. Even worse is when you finally decide to waste an hour of your life reading it only to be told afterwards that it might not be quite right because Bob or Stan needed to make some changes last year but never got around to it."

– Peter Church, Solutions Architect

Create visual-based documentation to improve usability and effectiveness

"Without question, 300-page DRPs are not effective. I mean, auditors love them because of the detail, but give me a 10-page DRP with contact lists, process flows, diagrams, and recovery checklists that are easy to follow."

– Bernard Jones, MBCI, CBCP, CORP, Manager Disaster Recovery/BCP, ActiveHealth Management

SOPs, including those that support your disaster recovery plan (DRP), are often created to meet certification requirements. However, this often leads to lengthy overly detailed documentation that is geared to auditors and business leaders, not IT staff trying to execute a procedure in a high-pressure, time-sensitive scenario.

Staff don’t have time to flip through a 300-page manual, let alone read lengthy instructions, so organizations are transforming monster manuals into shorter, visual-based documentation. Benefits include:

• Quicker to create than lengthy manuals.
• Easier to be absorb, so they are more usable.
• More likely to stay up to date because they are easier to maintain.

Example: DRPs that include visual SOPs are easier to use — that leads to shorter recovery times and fewer mistakes.

Use flowcharts for process flows or a high-level view of more detailed procedures

• Flowcharts depict who does what and when; they provide an at-a-glance view that is easy to follow and makes task ownership clear.
• Use swim lanes, as in this example, to indicate process stages and task ownership.
• For experienced staff, a high-level reminder of process flows or key steps is sufficient.
• Where more detail is required, include links to supporting documentation (which could include checklists, vendor documentation, other flowcharts, etc.).

See Info-Tech’s Incident and Service Management Procedures – Service Desk Example.

"Flowcharts are more effective when you have to explain status and next steps to upper management."

– Assistant Director-IT Operations, Healthcare Industry

Example: SOP in flowchart format

Review your options for diagramming software

Many organizations look for an option that easily integrates with the MS Office suite. The default option is often Microsoft Visio.

Pros:

• Easy to learn and use.
• Has a wide range of features and capabilities.
• Comes equipped with a large collection of stencils and templates.
• Offers the convenience of fluid integration with the MS Office Suite.

Cons:

• Isn’t included in any version of the MS Office Suite and can be quite expensive to license.
• Not available for Mac or Linux environments.

Consider the options below if you’re looking for an alternative to Microsoft Visio:

Desktop Solutions

• Dia Diagram Editor
• Diagram Designer
• LibreOffice Draw
• Pencil Project
• yEd Graph Editor

• Draw.io
• Creately
• Gliffy
• LucidChart

Note: No preference or recommendation is implied from the ordering of the options above.

This list is not intended to be comprehensive.

Evaluate different solutions to identify one that works for you

Use the criteria below to identify a flowchart software that fits your needs.

Use checklists to streamline step-by-step procedures

• Checklists are ideal when staff just need a reminder of what to do, not how to do it.
• Remember your audience. You aren’t pulling in a novice to run a complex procedure, so all you really need here are a series of reminders.
• Where more detail is required, include links to supporting documentation.
• Note that a flowchart can often be used instead of a checklist, depending on preference.

For two different examples of a checklist template, see:

• Employee Termination Process Checklist – IT Security Example
• System Recovery Procedures Template

Use topology diagrams to capture network layout, integrations, and system information

• Organizations commonly have network topology diagrams for reference purposes, so this is just a re-use of existing resources.
• Physically label real world equipment to correspond to topology diagrams. While these labels will be redundant for most IT employees, they help give clarity and confidence when changes are being made.
• If your topology diagrams are housed in a tool such as a systems management product, then export the diagrams so they can be included in your SOP documentation suite.

"Our network engineers came to me and said our standard SOP template didn't work for them. They're now using a lot of diagrams and flowcharts, and that has worked out better for them."

Use screen captures and tutorials to facilitate training for applications and SOPs

• Screen capture tutorials or videos are effective for training staff on applications. For example, create a screen capture tutorial to train staff on the use of a help desk application and your company’s specific process for using that tool.
• Similarly, create tutorials to train end users on straightforward “technical” tasks (e.g. setting up their VPN connection) to reduce the demand on IT staff.
• Tutorials can be created quickly and easily with affordable software such as Snag-It, ScreenHunter Pro, HyperSnap, PicPick, FastStone, Ashampoo Snap 6, and many others.

"When contractors come onboard, they usually don't have a lot of time to learn about the organization, and we have a lot of unique requirements. Creating SOP documents with screenshots has made the process quicker and more accurate."

– Susan Bellamore, Business Analyst, Public Guardian and Trustee of British Columbia

Example: Disaster recovery notification and declaration procedure

1. Swim lanes indicate task ownership and process stages.
2. Links to supporting documentation (which could include checklists, vendor documentation, other flowcharts, etc.) are included where necessary.
3. Additional DR SOPs are captured within the same spreadsheet for convenient, centralized access.

Review Info-Tech’s Incident Response and Recovery Process Flows – DRP Example.

Example: DRP flowchart with links to supporting documents

Establish flowcharting standards

If you don’t have existing flowchart standards, then keep it simple and stick to basic flowcharting conventions as described below.

Start, End, and Connector. Traditional flowcharting standards reserve this shape for connectors to other flowcharts or other points in the existing flowchart. Unified Modeling Language (UML) also uses the circle for start and end points.

Start, End. Traditional flowcharting standards use this for start and end. However, Info-Tech recommends using the circle shape to reduce the number of shapes and avoid confusion with other similar shapes.

Process Step. Individual process steps or activities (e.g. create ticket or escalate ticket). If it’s a series of steps, then use the sub-process symbol and flowchart the sub-process separately.

Sub-Process. A series of steps. For example, a critical incident SOP might reference a recovery process as one of the possible actions. Marking it as a sub-process, rather than listing each step within the critical incident SOP, streamlines the flowchart and avoids overlap with other flowcharts (e.g. the recovery process).

Decision. Represents decision points, typically with Yes/No branches, but you could have other branches depending on the question (e.g. a “Priority?” question could branch into separate streams for Priority 1, 2, 3, 4, and 5 issues).

Document/Report Output. For example, the output from a backup process might include an error log.

Conduct a tabletop planning exercise to build an SOP

1.3a

20 minutes

Tabletop planning is a paper-based exercise where your team walks through a particular process and maps out what happens at each stage.

1. For this exercise, choose one particular process to document.
2. Document each step of the process using cue cards, which can be arranged on the table in sequence.
3. Be sure to include task ownership in your steps.
4. Map out the process as it currently happens – we’ll think about how to improve it later.
5. Keep focused. Stay on task and on time.

OUTPUT

• Steps in the current process for one SOP

Materials

• Tabletop, pen, and cue cards

Participants

• Process Owners
• SMEs

Info-Tech Insight

Don’t get weighed down by tools. Relying on software or other technological tools can detract from the exercise. Use simple tools such as cue cards to record steps so that you can easily rearrange steps or insert steps based on input from the group.

Collaborate to optimize the SOP

1.3b

20 minutes

Review the tabletop exercise. What gaps exist in current processes?

How can the process be made better? What are the outputs and checkpoints?

OUTPUT

• Identify steps to optimize the SOP

Materials

• Tabletop, pen, and cue cards

Participants

• Process Owners
• SMEs

A note on colors: Use white cards to record steps. Record gaps on yellow cards (e.g. a process step not documented) and risks on red cards (e.g. only one person knows how to execute a step) to highlight your gaps/to-dos and risks to be mitigated or accepted.

If it’s necessary to clarify complex process flows during the exercise, also use green cards for decision diamonds, purple for document/report outputs, and blue for sub-processes.

Capture opportunities to improve processes in the Standard Operating Procedures Project Roadmap Tool

1.3

Rank and track projects to close gaps you discover in your processes.

1. As a group, identify potential solutions to close the gaps in your processes that you’ve uncovered through the tabletop mapping exercise.
2. Add these project names to the Standard Operating Procedures Project Roadmap Tool on the “Project Scoring” tab.
3. Review and adjust the criteria for evaluating the benefits and costs of different projects on the “Scoring Criteria” tab.
4. Return to the “Project Scoring” tab, and assign weights at the top of each scoring column. Use the drop-down menus to adjust the scores for each project category. The tool will automatically rank the projects based on your input, but you can adjust the ranks as needed.
5. Assign dates and descriptions to the projects on the “Implementation Schedule” tab, below.

Identify gaps to improve process performance and make SOP documentation a priority

CASE STUDY

Challenge

• Tabletop planning revealed a 77-hour gap between current and desired RTO for critical systems.
• Similarly, the current achievable RPO gap was up to one week, but the desired RPO was one hour.
• A DR site was available but not yet set up with the necessary equipment.
• Lack of documented standard operating procedures (SOPs) was identified as a risk since that increased the dependence on two or three key SMEs.

Solution

• Potential projects to close RTO/RPO gaps were identified, including:
• Deploy servers that were decommissioned (as a result of a server refresh) to the DR site as warm standby servers.
• Implement site-to-site data replication.
• Document SOPs to enable tasks to be delegated and minimize resourcing risks.

Results

• A DR project implementation schedule was defined.
• Many of the projects required no further investment, but rather deployment of existing equipment that could function as standby equipment at the DR site.
• The DR risk from a lack of SOPs enabled SOPs to be made a priority. An expected side benefit is the ability to review and optimize processes and improve consistency in IT operations.

Document the SOPs from the tabletop exercise

1.3c

20 minutes

Document the results from the tabletop exercise in the appropriate format.

1. Identify an appropriate visual format for the high-level SOP as well as for any sub-processes or supporting documentation.
2. Break into groups of two or three.
3. Each group will be responsible for creating part of the SOP. Include both the high-level SOP itself and any supporting documentation such as checklists, sign-off forms, sub-processes, etc.
4. Once your document is complete, exchange it with that of another group. Review each other’s documents to check for clarity and completeness.

OUTPUT

• Output from activities 1.4 and 1.5

Materials

• Flowcharting software, laptops

Participants

• Process Owners
• SMEs

Repeat the tabletop exercise for the second process

Come back together as a large group. Choose a process that is significantly different from the one you’ve just documented, and repeat the tabletop exercise.

As a reminder, the steps are:

1. Use the tabletop exercise to map out a current SOP.
2. Collaborate to optimize the SOP.
3. Decide on appropriate formats for the SOP and its supporting documents.
4. Divide into small groups to create the SOP and its supporting documents.
5. Repeat the steps above as needed for your initial review of critical processes.

Info-Tech Insight

If you plan to document more than two or three SOPs at once, consider making it an SOP “party” to add momentum and levity to an otherwise dry process. Review section 2.3 to find out how.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

Book a workshop with our Info-Tech analysts:

• To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
• Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
• Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

1.1a-e

Get started by prioritizing SOPs

Ensure the SOP project remains business focused, and kick off the project by analyzing critical business services. Identify key IT services that support the relevant business services. Conduct a benefit/risk analysis to prioritize which SOPs should become the focus of the workshop.

1.3a-c

Document the SOPs from the tabletop exercise

Leverage a tabletop planning exercise to walk the team through the SOP. During the exercise, focus on identifying timelines, current gaps, and potential risks. Document the steps via que cards first and transpose the hard copies to an electronic version.

Phase 2

Establish a Sustainable Documentation Process

Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

Phase 2 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 2: Establish a sustainable SOP documentation process

Proposed Time to Completion (in weeks): 4 weeks

Step 2.1: Establish guidelines for identifying and organizing SOPs

Start with an analyst call:

• Establish documentation information guidelines.
• Review version control best practices.

Then complete these activities…

• Implement best practices to identify and organize your SOPs.

With these tools & templates:

• SOP Workbook

Step 2.2: Define a process to document and maintain SOPs

Review findings with analyst:

• Identify opportunities to create a culture that fosters SOP creation.

Then complete these activities…

• Create a plan to address SOP documentation gaps.

With these tools & templates:

• Document Management Checklist

Step 2.3: Plan time with experts to put a dent in your documentation backlog

Finalize phase deliverable:

• Address outstanding undocumented SOPs by working through process issues together.

Then complete these activities…

• Organize and run a working session to document and optimize processes.

With these tools & templates:

• SOP Workbook
• SOP Project Roadmap Tool

Phase 2 Results & Insights:

Improve the process for documenting and maintaining your SOPs, while putting a dent in your documentation backlog and gaining buy-in with staff.

Identify current content management practices and opportunities for improvement

DISCUSS

What is the current state of your content management practices?

Are you using a content management system? If not, where are documents kept?

Are your organizational or departmental SOPs easy to find?

Is version control a problem? What about file naming standards?

Get everyone on the same page on the current state of your SOP document management system, using the questions above as the starting point.

Keep document management simple for better adoption and consistency

If there is too much complexity and staff can’t easily find what they need, you won’t get buy-in and you won’t get consistency.

Whether you store SOPs in a sophisticated content management system (CMS) or on a shared network drive, keep it simple and focus on these primary goals:

• Enable staff to find the right document.
• Know if a document is the latest, approved version.
• Minimize document management effort to encourage buy-in and consistency.

If users can’t easily find what they need, it leads to bad practices. For example:

• Users maintain their own local copies of commonly used documents to avoid searching for them. The risk is that local copies will not be automatically updated when the SOP changes.
• Separate teams will implement their own document management system and repository. Now you have duplication of effort and company resources, multiple copies of documents (where each group needs their own version), and no centralized control over potentially sensitive documents.
• Users will ignore documented SOPs or ask a colleague who might also be following the above bad practices.

Insert a document information block on the first page of every document to identify key attributes

Include a document information block on the first page of every document to identify key attributes. This strategy is as much about minimizing resistance as it is ensuring key attributes are captured.

• A consistent document information block saves time (e.g. vs. customized approaches per document). If some fields don’t apply, enter “n/a.”
• It provides key information about the document without having to check soft copy metadata, especially if you work with hard copies.
• It’s a built-in reminder of what to capture and easier than updating document properties or header/footer information or entering metadata into a CMS.

Note: The Info-Tech templates in this blueprint include a copy of the document information block shown in this example. Add more fields if necessary for your organization’s needs.

For an example of a completed document information block, see Network Backup for Atlanta Data Center – Backups Example

Info-Tech Insight

For organizations with more advanced document management requirements, consider more sophisticated strategies (e.g. using metadata) as described in Info-Tech’s Use SharePoint for Enterprise Content Management and Reintroduce the Information Lifecycle to the Content Management Strategy. However, the basic concepts above still apply: establish standard attributes you need to capture and do so in a consistent manner.

Modify the Info-Tech document information block to meet your requirements

2.1a

15 minutes

1. Review “Guidelines and Template for the Document Information Block” in the Standard Operating Procedures Workbook. Determine if any changes are required, such as additional fields.
2. Identify which fields you want to standardize and then establish standard terms. Balance the needs for simplicity and consistency – don’t force consistency where it isn’t a good fit.
3. Pre-fill the document information block with standard terms and examples and add it to an SOP template that’s stored in your content management system.

Educate staff by pre-filling the document

• Providing examples built into the templates provides in-context, just-in-time training which is far more effective and easier than formal education efforts.
• Focus your training on communicating when the template or standard terms change so that staff know to obtain the new version. Otherwise, the tendency for many staff will be to use one of their existing documents as their template.

OUTPUT

• Completed document information block

Materials

• Laptop
• Projector

Participants

• Process Owners
• SMEs

Leverage the document information block to create consistent filenames that facilitate searching

Use the following filename format to create consistent, searchable, and descriptive filenames:

Topic – Document Title – Document Type – Version Date

For example:

• ERP – System Administration Monthly Maintenance Tasks – Checklist – 2016-01-15.docx
• ERP – System Administration Monthly Maintenance Tasks – SOP – 2017-01-10.docx
• Backups – Network Backup Procedure for Atlanta Data Center – SOP – 2017-03-06.docx
• PROJ437 – CRM Business Requirements – BRD – 2017-02-01.xlsx
• DRP – Notification Procedures – SOP – 2016-09-14.docx
• DRP – Emergency Response Team Roles and Responsibilities – Reference – 2018-03-10.xlsx

Apply filename and document information block guidelines to existing SOPs

2.1b

15 minutes

1. Review the SOPs created during the earlier exercises.
2. Update the filenames and document information block based on guidelines in this section.
3. Apply these guidelines to other select existing SOPs to see if additional modifications are required (e.g. additional standard terms).

INPUT

• Document Information Block

OUTPUT

• Updated filenames and document information blocks

Materials

• Laptop and projector

Participants

• Process Owners
• SMEs

Implement version control policies for local files as well as those in your content management system (CMS)

1. Version Control in Your CMS

Always keep one master version of a document:

• When uploading a new copy of an existing SOP (or any other document), ensure the filenames are identical so that you are just adding a new version rather than a separate new file.
• Do not include version information in the filename (which would create a new separate file in your CMS). Allow your CMS to handle version numbering.

Ideally, staff would never keep local copies of files. However, there are times when it is practical or preferable to work from a local copy: for example, when creating or updating an SOP, or when working remotely if the CMS is not easily accessible.

Implement the following policies to govern these circumstances:

• Add the version date to the end of the filename while the document is local, as shown in the slide on filenames.
• Remove the date when uploading it to a CMS that tracks date and version. If you leave the date in the filename, you will end up with multiple copies in your CMS.
• When distributing copies for review, upload a copy to the CMS and send the link. Do not attach a physical file.

Reduce the need for version updates by isolating volatile information in a separate, linked document. For example:

• Use Policy documents to establish high-level expectations and goals, and use SOPs to capture workflow, but put volatile details in a separate reference document. For example, for Backup procedures, put offsite storage vendor details such as contact information, pick up times, and approved couriers in a separate document.
• Similarly, for DRP Notification procedures, reference a separate contacts list.

Modify the Info-Tech Document Management Checklist to meet your requirements

2.1c

15 minutes

1. Review the Info-Tech Document Management Checklist.
2. Add or remove checklist items.
3. Update the document information block.

OUTPUT

• Completed document management checklist

Materials

• Laptop, projector

Participants

• Process Owners
• SMEs

See Info-Tech’s Document Management Checklist.

If you aren’t going to keep your SOPs current, then you’re potentially doing more harm than good

An outdated SOP can be just as dangerous as having no SOP at all. When a process is documented, it’s trusted to be accurate.

• Disaster recovery depends as much on supporting SOPs – such as backup and restore procedures – as it does on a master incident response plan.
• For disaster scenarios, the ability to meet recovery point objectives (i.e. minimize data loss) and recovery time objectives (i.e. minimize downtime) depends on smoothly executed recovery procedures and on having well-defined and up-to-date DR documentation and supporting SOPs. For example:
• Recovery point (data loss) objectives are directly impacted by your backup procedures.
• Recovery time is minimized by a well-defined restore procedure that reduces the risk of human error during recovery which could lead to data loss or a delay in the recovery.
• Similarly, a clearly documented configuration procedure will reduce the time to bring a standby system online.

Follow Info-Tech best practices to keep SOPs current and drive consistent, efficient IT operations

The following best practices were measured in this chart, and will be discussed further in this section:

1. Identify documentation requirements as part of project planning.
2. Require a manager or supervisor to review and approve SOPs.
3. Check documentation status as part of change management.
4. Hold staff accountable.

Higher adoption of Info-Tech best practices leads to more effective SOPs and greater benefits in areas such as training and process improvement.

Info-Tech Insight

Audits for compliance requirements have little impact on getting SOPs done in a timely manner or the actual usefulness of those SOPs, because the focus is on passing the audit instead of creating SOPs that improve operations. The frantic annual push to complete SOPs in time for an audit is also typically a much greater effort than maintaining documents as part of ongoing change management.

Identify documentation requirements as part of project planning

DISCUSS

When are documentation requirements captured, including required changes to SOPs?

Make documentation requirements a clearly defined deliverable. As with any other task, this should include:

• Owner: The person ultimately responsible for the documentation.
• Assigned resource: The person who will actually put pen to paper. This could be the same person as the owner, or the owner could be a reviewer.
• Deadlines: Include documentation deliverables in project milestones.
• Verification process: Validate completion and accuracy. This could be a peer review or management review.

Example: Implement a new service desk application.

• Service desk SOP documentation requirements: SOP for monitoring and managing tickets will require changes to leverage new automation features.
• Owner: Service Desk Lead.
• Assigned resource: John Smith (service desk technician).
• Deadline: Align with “ready for QA testing.”
• Verification process: Service Desk Lead document review and signoff.

Info-Tech Insight

Realistically, documentation will typically be a far less urgent task than the actual application or system changes. However, if you want the necessary documentation to be ultimately completed, even if it’s done after more urgent tasks, it must be tracked.

Implement document approval steps at the individual and project level

DISCUSS

How do you currently review and validate SOP documents?

Require a manager or supervisor to review and approve SOPs.

• Avoid a bureaucratic review process involving multiple parties. The goal is to ensure accuracy and not just provide administrative protection.
• A review by the immediate supervisor or manager is often sufficient. Their feedback and the implied accountability improve the quality and usefulness of the SOPs.

Check documentation status as part of change management.

• Including a documentation status check holds the project leaders and management accountable.
• If SOPs are not critical to the project deliverable, then realistically the deliverable is not held back. However, keep the project open until relevant documents are updated so those tasks can’t be swept under the rug until the next audit.

SOP reviews, change management, and identifying requirements led to benefits such as training and process improvement.

"Our directors and our CIO have tied SOP work to performance evaluations and SOP status is reviewed during management meetings. People have now found time to get this work done."

– Assistant Director-IT Operations, Healthcare Industry

Review SOPs regularly and assign a process owner to avoid reinforcing silos

CASE STUDY

Industry

Public service organization

Source

Info-Tech client engagement

Situation

• The organization’s IT department consists of five heavily siloed units.
• Without communication or workflow accountability across units, each had developed incompatible workflows, making estimates of “time to resolution” for service requests difficult.
• The IT service manager purchases a new service desk tool, attempting to standardize requests across IT to improve efficiency, accountability, and transparency.

Complication

• The IT service manager implements the tool and creates standardized workflows without consulting stakeholders in the different service units.
• The separate units immediately rebel against the service manager and try to undermine the implementation of the new tool.

Results

• Info-Tech analysts helped to facilitate a solution between experts in the different units.
• In order to develop a common workflow and ticket categorization scheme, Info-Tech recommended that each service process should have a single approver.

The bottom line: ensure that there’s one approver per process to drive process efficiency and accountability and avoid problems down the road.

Hold staff accountable to encourage SOP work to be completed in a timely manner

DISCUSS

Are SOP updates treated as optional or “when I have time” work?

Hold staff directly accountable for SOP work.

Holding staff accountable is really about emphasizing the importance of ensuring SOPs stay current. If management doesn’t treat SOPs as a priority, then neither will your staff. Strategies include:

• Include SOP work in performance appraisals.
• Keep relevant tickets open until documentation is completed.
• Ensure documents are reviewed, as discussed earlier.
• Identify and assign documentation tasks as part of project planning efforts, as discussed earlier.

Holding staff accountable minimizes procrastination and therefore maintenance effort.

Info-Tech Insight

Holding staff accountable does not by itself make a significant impact on SOP quality (and therefore the typical benefits of SOPs), but it minimizes procrastination, so the work is ultimately done in a more timely manner. This ensures SOPs are current and usable, so they can drive benefits such as consistent operations, improved training, and so on.

Assign action items to address SOP documentation process challenges

2.2

1. Discuss the challenges mentioned at the start of this section, and other challenges highlighted by the strategies discussed in this section. For example:

• Are documentation requirements included in project planning?
• Are SOPs and other documentation deliverables reviewed?
• Are staff held accountable for documentation?

An “SOP party” fosters a collaborative approach and can add some levity to an otherwise dry exercise

What is an SOP party?

• An SOP party is a working session, bringing together process owners and key staff to define current SOPs and collaborate to identify optimization opportunities.
• The party aspect is really just about how you market the event. Order in food or build in a cooking contest (e.g. a chilli cook-off or dessert bake-off) to add some fun to what can be a dry activity.

Why does this work?

• Process owners become so familiar with their tasks that many of the steps essentially live in their heads. Questions from colleagues draw out those unwritten steps and get them down on paper so another sufficiently qualified employee could carry out the same steps.
• Once the processes are defined (e.g. via a tabletop exercise), input from colleagues can help identify risks and optimization opportunities, and process questions can be quickly answered because the key people are all present.
• The group approach also promotes consistency and enables you to set expectations (e.g. visual-based approach, standards, level of detail, etc.).

When is collaboration necessary (e.g. via tabletop planning)?

• Tabletop planning is ideal for complex processes as well as processes that span multiple tasks, people, and/or systems.
• For processes with a narrow focus (e.g. recovery steps for a specific server), assign these to the SME to document. Then ensure the SOP is reviewed to draw out the unwritten steps as described above.
• For example, if you use tabletop planning to document a high-level DR plan, sub-processes might include recovery procedures for individual systems; those SOPs can then be assigned to individual SMEs.

Schedule SOP working sessions until critical processes are documented

Ultimately, it’s more efficient to create and update SOPs as needed but dedicated working sessions will help address immediate critical needs.

Organize the working session:

1. Book a full-day meeting in an out of the way meeting room, invite key staff (system and process owners who ultimately need to be SOP owners), and order in lunch so no one has to leave.
2. Prioritize SOPs (see Phase 1) and set goals (e.g. complete the top 6 SOPs during this session).
3. Alternate between collaborative efforts and documenting the SOPs. For example:
1. Tabletop or flowchart the current SOP. Take a picture of the current state for reference purposes.
2. Look for process improvements. If you have the authority in the room to enable process changes, then modify the tabletop/flowchart accordingly and capture this desired future state (e.g. take a picture). Otherwise, identify action items to follow up on proposed changes.
3. Identify all related documentation deliverables (e.g. sub-processes, checklists, approval forms, etc.).
4. Create the identified documentation deliverables (divide the work among the team). Then repeat the above.
4. Repeat these working sessions on a monthly or quarterly basis, depending on your requirements, until critical SOPs are completed.
5. When the SOP backlog is cleared, conduct quarterly or semi-annual refreshers for ongoing review and optimization of key processes.

Assign action items to capture next steps after SOP working sessions

2.3

1. Review the SOPs documented during this workshop. Identify action items to complete and validate those SOPs and related documents. For example, do the SOPs require further approval or testing?
2. Similarly, review the document management checklist and identify action items to complete, expand, and/or validate proposed standards.
3. For SOP working sessions, decide on a date, time, and who should be there based on the guidelines in this section. If the SOP party approach does not meet your requirements, then at the very least assign owners for the identified critical SOPs and set deadlines for completing those SOPs. Document these extra action items in your copy of the Standard Operating Procedures Workbook.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

Book a workshop with out Info-Tech analysts:

• To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
• Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
• Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

2.1

Identify current content management practices

As a group, identify current pain points and opportunities for improvement in your current content management practices.

2.2

Assign action items to address documentation process challenges

Develop a list of action items to address gaps in the SOP documentation and maintenance process.

Phase 3

Identify a Content Management Solution

Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

Phase 3 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 3: Decide on a content management solution for your SOPs

Proposed Time to Completion (in weeks): 1 week

Step 3.1: Understand the options for CM solutions

Start with an analyst kick off call:

• Review your current approach to content management and discuss possible alternatives.

Then complete these activities…

• Evaluate the pros and cons of different approaches to content management.
• Discuss approaches for fit with your team.

Step 3.2: Identify the right solution for you

Review findings with analyst:

• Identify 2–3 possible options for a content management strategy.

Then complete these activities…

• Identify the best solution based on portability, maintainability, cost, and implementation effort.

With these tools & templates:

• Publishing and Document Management Solution Evaluation Tool
• SOP Project Roadmap
• SOP Workbook

Phase 3 Results & Insights:

Choose an approach to content management that will best support your organization’s SOP documentation and maintenance process.

Decide on an appropriate publishing and document management strategy for your organization

Publishing and document management considerations:

• Portability/External Access: At the best of times, portability is nice because it enables flexibility, but at the worst of times (such as in a disaster recovery situation) it is absolutely essential. If your primary site is down, can you still access your documentation? As shown in this chart, traditional storage strategies still dominate DRP documentation, but these aren’t necessarily the best options.
• Maintainability/Usability: How easy is it to create, update, and use the documentation? Is it easy to link to other documents? Is there version control? The easier the system is to use, the easier it is to get employees to use it.
• Cost/Effort: Is the cost and effort appropriate? For example, a large enterprise may need a formal solution like SharePoint or a Content Management System. For smaller organizations, the cost of these tools might be harder to justify.

Consider these approaches:

This section reviews the following approaches, their pros and cons, and how they meet publishing and document management requirements:

• SOP tools.
• Cloud-based content management software.
• In-house solutions combining SharePoint and MS Office (or equivalent).
• Wiki site.
• “Manual” approaches such as storing documents on a USB drive.

Source: Info-Tech Research Group; N=118

Note: Percentages total more than 100% due to respondents using more than one portability strategy.

Develop a content management strategy and process to reduce organizational risk

CASE STUDY

Segment

Mid-market company

Source

Info-Tech Interview

Situation

• A mid-sized company hired a technical consultancy to manage its network.
• As part of this move, the company’s network administrator was fired.
• Over time, this administrator had become a “go-to” person for several other IT functions.

Complication

• The consulting team realizes that the network administrator kept critical documentation on his local hard drive.
• This includes configs, IP addresses, passwords, logins to vendor accounts, and more.
• It becomes clear the administrator was able to delete some of this information before leaving, which the consultants are required to retrieve and re-document.

Result

• Failing to implement effective SOPs for document management and terminating key IT staff exposed the organization to unnecessary risk and additional costs.
• Allowing a local content management system to develop created a serious security risk.
• The bottom line: create a secure, centralized, and backed-up location and establish SOPs around using it to help keep the company’s data safe.

Info-Tech offers a web-based policy management solution with process management capabilities

About this Approach:

myPolicies is a web-based solution to create, distribute, and manage corporate policies, procedures, and forms, built around best practices identified by our research.

Contact your Account Manager today to find out if myPolicies is right for you.

SOP software and DR planning tools can help, but they aren’t a silver bullet

Portability/External Access:

• Pros: Typically have a SaaS option, providing built-in external access with appropriate security and user administration to vary access rights.
• Cons: Dependent on the vendor to ensure external access, but this is typically not an issue.

Maintainability/Usability:

• Pros: Built-in templates encourage consistency as well as guide initial content development by indicating what details need to be captured.
• Pros: Built-in document management (e.g. version control, metadata support, etc.), centralized access/navigation to required documents, and some automation (e.g. update contacts throughout the system).
• Cons: Not a silver bullet. You still have to do the work to define and capture your processes.
• Cons: Requires end-user and administrator training.
• Cons: Often modules of larger software suites. If you use the entire suite, it may make sense to use the SOP tool, but otherwise probably not.

Cost/Effort:

• Pros: For large enterprises, the convenience of built-in document management and templates can outweigh the cost.
• Cons: SOP tools can be costly. Expect to pay at least $3,000-7,000 for software licensing, plus additional per user and hosting fees.

About this Approach:

SOP tools such as Princeton Center’s SOP ExpressTM and SOP Tracks or MasterControl’s SOP Management and eSOP allow organizations to create, manage, and access SOPs. These programs typically offer a range of SOP templates and formats, electronic signatures, version control, and review options and training features such as quizzes and monitoring.

Similarly, DR planning solutions (e.g. eBRP, Recovery Planner, LDRPS, etc.) provide templates, tools, and document management to create DR documentation including SOPs.

Consider leveraging SharePoint to provide document management capabilities

Portability/External Access:

• Pros: SharePoint is commonly web-enabled and supports external access with appropriate security and user administration.
• Cons: Must be installed at redundant sites or be cloud-based to be effective in the event of a worst-case scenario disaster recovery situation in which the primary data center is down.

Maintainability/Usability:

• Pros: Built-in document management (e.g. version control, metadata support, etc.) as well as centralized access to required documents.
• Pros: No tool learning curve – SharePoint and MS Office would be existing solutions already used on a daily basis.
• Cons: No built-in automated updates (e.g. automated updates to contacts throughout the system).
• Cons: Consistency depends on creating templates and implementing processes for document updates, review, and approval.

Cost/Effort:

• Pros: Using existing tools, so this is a sunk cost in terms of capex.
• Cons: Additional effort required to create templates and manage the documentation library.

For more information on SharePoint as a content management solution, see Info-Tech’s Use SharePoint for Enterprise Content Management.

About this Approach:

Most SOP documents start as MS Office documents, even if there is an SOP tool available (some SOP tools actually run within MS Office on the desktop). For organizations that decide to bypass a formal SOP tool, the biggest gap they have to overcome is document management.

Many organizations are turning to SharePoint to meet this need. For those that already have SharePoint in place, it makes sense to further leverage SharePoint for SOP documentation.

For SharePoint to be a practical solution, the documentation must still be accessible if the primary data center is down, e.g. by having redundant SharePoint instance at multiple in-house locations or using a cloud-based SharePoint solution.

As an alternative to SharePoint, SaaS tools such as Power DMS, NetDocuments, Xythos on Demand, Knowledge Tree, Spring CM, and Zoho Docs offer cloud-based document management, authoring, and distribution services that can work well for SOPs. Some of these, such as Power DMS and Spring CM, are geared specifically toward workflows.

A wiki may be all you need

Portability/External Access:

• Pros: Wiki sites can support external access as with any web solution.
• Cons: May lack more sophisticated content management features.

Maintainability/Usability:

• Pros: Built-in document management (e.g. version control, metadata support, etc.) as well as centralized access to required information.
• Pros: Authorized users can make updates dynamically, depending on how much restriction you have on the site.
• Cons: No built-in automation (e.g. automated updates to contacts throughout the system).
• Cons: Consistency depends on creating templates and implementing processes for document updates, review, and approval.

Cost/Effort:

• Pros: An inexpensive option compared to traditional content management solutions such as SharePoint.
• Cons: Learning curve if wikis are new to your organization.

About this Approach:

Wiki sites are websites where users collaborate to create and edit the content. Wikipedia is an example.

While wiki sites are typically used for collaboration and dynamic content development, the traditional collaborative authoring model can be restricted to provide structure and an approval process.

Several tools are available to create and manage wiki sites (and other collaboration solutions), as outlined in the following research:

• Implement a Collaboration Platform
• Vendor Landscape: Collaboration Platforms

An approach that I’ve seen work well is to consult the wiki for any task, activity, job, etc. Is it documented? If not, then document it there and then. Sure, this led to 6-8 weeks of huge effort, but the documentation grew in terms of volume and quality at an alarming but pleasantly surprising rate. Providing an environment to create the documentation is important and a wiki is ideal. Fast, lightweight, in-browser editing leads to little resistance in creating documents.

- Lee Blackwell, Global IT Operation Services Manager, Avid Technology

Managing SOPs on a shared network drive involves major challenges and limitations

Portability/External Access:

• Cons: Must be hosted at redundant sites in order to be effective in a worst-case scenario that takes down your data center.

Maintainability/Usability:

• Pros: Easy to implement and no learning curve.
• Pros: Access can be easily managed.
• Cons: Version control, standardization, and document management can be significant challenges.

Cost/Effort:

• Pros: Little to no cost and no tool management required.
• Cons: Managing documents on a shared network drive requires strict attention to process for version control, updates, approvals, and distribution.

About this Approach:

With this strategy, SOP documents are stored and managed locally on a shared network drive. Only process owners and administrators have read-write permissions on documents on the shared drive.

The administrator grants access and manages security permissions.

Info-Tech Insight

For small organizations, the shared network drive approach can work, but this is ultimately a short-term solution. Move to an online library by creating a wiki site. Start slow by beginning with a particular department or project, then evaluate how well your staff adapt to this technology as well as its potential effectiveness in your organization. Refer to the Info-Tech collaboration strategy research cited on the previous slide for additional guidance.

Avoid extensive use of paper copies of SOP documentation

SOP documents need to be easy to update, accessible from anywhere, and searchable. Paper doesn’t meet these needs.

Portability/External Access:

• Pros: Does not rely on technology or power.
• Cons: Not adequate for disaster recovery situations; would require all staff to have a copy and to have it with them at all times.

Maintainability/Usability:

• Pros: In terms of usability, again there is no dependence on technology.
• Cons: Updates need to be printed and distributed to all relevant staff every time there is a change to ensure staff have access to the latest most accurate documentation.
• Cons: Navigation to other information is manual – flipping through pages etc. No searching or hyperlinks.

Cost/Effort:

• Pros: No technology system to maintain, aside from what you use for printing.
• Cons: Printing expenses are actually among the highest incurred by organizations and this adds to it.
• Cons: Labor-intensive due to need to print and physically distribute documentation updates.

About this Approach

Traditionally, SOPs were printed and kept somewhere in a large binder (or several large binders). This isn’t adequate to the needs of most organizations and typically results in documents that aren’t up to date or effective.

Use Info-Tech’s solution evaluation tool to decide on a publishing and document management strategy

All organizations have existing document management methodologies, even if it’s simply storing documents on a network drive.

Use Info-Tech’s solution evaluation tool to decide whether your existing solution meets the portability/external access, maintainability/usability, and cost/effort criteria, or whether you need to explore a different option.

Note: This tool was originally built to evaluate DRP publishing options, so the tool name and terminology refers to DR. However, the same tool can be used to evaluate general SOP publishing and document management solutions.

Consider using Info-Tech’s DRP Publishing and Document Management Solution Evaluation Tool.

Info-Tech Insight

There is no absolute ranking for possible solutions. The right choice will depend on factors such as current in-house tools, maturity around document management, the size of your IT department, and so on. For example, a small shop may do very well with the USB drive strategy, whereas a multi-national company will need a more formal strategy to ensure consistent application of corporate guidelines.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

Book a workshop with our Info-Tech analysts:

• To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
• Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
• Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

3.1

Decide on a publishing and document management strategy

Review the pros and cons of different strategies for publishing and document management. Identify needs, priorities, and limitations of your environment. Create a shortlist of options that can meet your organization’s needs and priorities.

3.2

Complete the solution evaluation tool

Evaluate solutions on the shortlist to identify the strongest option for your organization, based on the criteria of maintainability, affordability, effort to implement, and accessibility/portability.

Insight breakdown

Create visual documents, not dense SOP manuals.

• Visual documents that can be scanned are more usable and easier to update.
• Flowcharts, checklists, and diagrams all have their place in visual documentation.

Start with high-impact SOPs.

• It can be difficult to decide where to start when faced with a major documentation backlog.
• Focus first on client facing and high-impact SOPs, i.e. mission-critical operations, service management, and disaster recovery procedures.

Integrate SOP creation into project requirements and hold staff accountable.

• Holding staff accountable does not provide all the benefits of a well documented and maintained SOP, but it minimizes procrastination, so the work is ultimately done in a more timely manner.

Summary of accomplishment

Knowledge Gained

SOPs may not be exciting, but they’re very important to organizational consistency, efficiency, and improvement.

This blueprint outlined how to:

• Prioritize and execute SOP documentation work.
• Establish a sustainable process for creating and maintaining SOP documentation.
• Choose a content management solution for best fit.

Processes Optimized

• Multiple processes supporting mission-critical operations, service management, and disaster recovery were documented. Gaps in those processes were uncovered and addressed.
• In addition, your process for maintaining process documents was improved, including adding documentation requirements and steps requiring documentation approval.

Deliverables Completed

As part of completing this project, the following deliverables were completed:

• Standard Operating Procedures Workbook
• Standard Operating Procedures Project Roadmap Tool
• Document Management Checklist
• Publishing and Document Management Solution Evaluation Tool

Project step summary

Client Project: Create and maintain visual SOP documentation.

1. Prioritize undocumented SOPs.
2. Develop visual SOP documentation.
3. Optimize and document critical processes.
4. Establish guidelines for identifying and organizing SOPs.
5. Define a process for documenting and maintaining SOPs.
6. Plan time with experts to put a dent in your documentation backlog.
7. Understand the options for content management solutions.
8. Identify the right content management solution for your organization.

Info-Tech Insight

This project has the ability to fit the following formats:

• Onsite workshop by Info-Tech Research Group consulting analysts.
• Do-it-yourself with your team.
• Remote delivery (Info-Tech Guided Implementation).

Bibliography

Anderson, Chris. “What is a Standard Operating Procedure (SOP)?” Bizmanualz, Inc. No date. Web. 25 Jan. 2016. https://www.bizmanualz.com/save-time-writing-procedures/what-are-policies-and-procedures-sop.html

Grusenmeyer, David. “Developing Effective Standard Operating Procedures.” Dairy Business Management. 1 Feb. 2003. Web. 25 Jan. 2016. https://ecommons.cornell.edu/handle/1813/36910

Mosaic. “The Value of Standard Operating Procedures.” 22 Oct. 2012. Web. 25 Jan. 2016. ttp://www.mosaicprojects.com.au/WhitePapers/WP1086_Standard_Operating_Procedures.pdf

Sinn, John W. “Lean, Six Sigma, Quality Transformation Toolkit (LSSQTT) Tool #17 Courseware Content – Standard Operating Procedures (SOP) For Lean and Six Sigma: Infrastructure for Understanding Process.” Summer 2006. Web. 25 Jan. 2016. https://www.bgsu.edu/content/dam/BGSU/college-of-technology/documents/LSSQTT/LSSQTT%20Toolkit/toolkit3/LSSQTT-Tool-17.pdf

United States Environmental Protection Agency. “Guidance for Preparing Standard Operating Procedures (SOPs).” April 2007. Web. 25 Jan. 2016. http://www.epa.gov/sites/production/files/2015-06/documents/g6-final.pdf

Develop an IT Asset Management Strategy

Define your business-aligned approach to ITAM.

Table of Contents

4 Analyst Perspective

5 Executive Summary

17 Phase 1: Establish Business-Aligned ITAM Goals and Priorities

59 Phase 2: Support ITAM Goals and Priorities

116 Bibliography

Develop an IT Asset Management Strategy

Define your business-aligned approach to ITAM.

EXECUTIVE BRIEF

Analyst Perspective

Track hardware and software. Seems easy, right? It’s often taken for granted that IT can easily and accurately provide definitive answers to questions like “how many laptops do we have at Site 1?” or “do we have the right number of SQL licenses?” or “how much do we need to budget for device replacements next year?” After all, don’t we know what we have? IT can’t easily provide these answers because to do so you must track hardware and software throughout its lifecycle – which is not easy. And unfortunately, you often need to respond to these questions on very short notice because of an audit or to support a budgeting exercise. IT Asset Management (ITAM) is the solution. It’s not a new solution – the discipline has been around for decades. But the key to success is to deploy the practice in a way that is sustainable, right-sized, and maximizes value. Use our practical methodology to develop and document your approach to ITAM that is aligned with the goals of your organization. Andrew Sharp Research Director Infrastructure & Operations Practice Info-Tech Research Group

Realize the value of asset management Cost optimization, application rationalization and reduction of technical debt are all considered valuable to right-size spending and improve service outcomes. Without access to accurate data, these activities require significant investments of time and effort, starting with creation of point-in-time inventories, which lengthens the timeline to reaching project value and may still not be accurate. Cost optimization and reduction of technical debt should be part of your culture and technical roadmap rather than one-off projects. Why? Access to accurate information enables the organization to quickly make decisions and pivot plans as needed. Through asset management, ongoing harvest and redeployment of assets improves utilization-to-spend ratios. We would never see any organization saying, “We’ve closed our year end books, let’s fire the accountants,” but often see this valuable service relegated to the back burner. Similar to the philosophy that “the best time to plant a tree is 20 years ago and the next best time is now,” the sooner you can start to collect, validate, and analyze data, the sooner you will find value in it. Sandi Conrad Principal Research Director Infrastructure & Operations Practice Info-Tech Research Group

Executive Summary

Info-Tech Insight

ITAM is a foundational IT service that provides accurate, accessible, actionable data on IT assets. But there’s no value in data for data’s sake. Enable collaboration between IT asset managers, business leaders, and IT leaders to develop an ITAM strategy that maximizes the value they can deliver as service providers.

Common obstacles

Info-Tech's IT Asset Management Framework (ITAM)

Adopt, manage, and mature activities to enable business value thorugh actionable, accessible, and accurate ITAM data

	Enable Business Value
Business-Aligned Spend Optimization and Transparency	Facilitate IT Services and Products Actionable, Accessible, and Accurate Data	Context-Aware Risk Management and Security Controls
Plan & Govern Business Goals, Risks, and Structure ITAM Goals & Priorities Roles, Accountability, Responsibilities Scope Ongoing Management Commitment Resourcing & Funding Policies & Enforcement Continuous Improvement Culture ITAM Education, Awareness & Training Organizational Change Management		Build & Manage Tools & Data ITAM Tool Selection & Deployment Configuration Management Synchronization IT Service Management Integration Process Process Management Data & Process Audits Document Management People, Policies, and Providers Stakeholder Management Technology Standardization Vendor & Contract Management

Info-Tech Insight

ITAM is a foundational IT service that provides actionable, accessible, and accurate data on IT assets. But there's no value in data for data's sake. Use this methodology to enable collaboration between ITAM, the business, and IT to develop an approach to ITAM that maximizes the value the ITAM team can deliver as service providers.

Key deliverable

IT asset management requires ongoing practice – you can’t just implement it and walk away. Our methodology will help you build a business-aligned strategy and approach for your ITAM practice with the following outputs: Business-aligned ITAM priorities, opportunities, and goals. Current and target state ITAM maturity. Metrics and KPIs. Roles, responsibilities, and accountability. Insourcing, outsourcing, and (de)centralization. Tools and technology. A documentation framework. Initiatives, a roadmap, and a communication plan.

Each step of this blueprint is designed to help you create your IT asset management strategy:

Info-Tech’s methodology to develop an IT asset management strategy

Insight Summary

There’s no value in data for data’s sake

ITAM is a foundational IT service that provides accurate, accessible, actionable data on IT assets. Enable collaboration between IT asset managers, business leaders, and IT leaders to develop an approach to ITAM that maximizes the value they can deliver as service providers.

Service provider to a service provider

ITAM is often viewed (when it’s viewed at all) as a low-value administrative task that doesn’t directly drive business value. This can make it challenging to build a case for funding and resources.

Your ITAM strategy is a critical component to help you define how ITAM can best deliver value to your organization, and to stop creating data for the sake of data or just to fight the next fire.

Collaboration over order-taking

To align ITAM practices to deliver organizational value, you need a very clear understanding of the organization’s goals – both in the moment and as they change over time.

Ensure your ITAM team has clear line of sight to business strategy, objectives, and decision-makers, so you can continue to deliver value as priorities change

Embrace dotted lines

ITAM teams rely heavily on staff, systems, and data beyond their direct area of control. Identify how you will influence key stakeholders, including technicians, administrators, and business partners.

Help them understand how ITAM success relies on their support, and highlight how their contributions have created organizational value to encourage ongoing support.

Project benefits

Benefits for IT Set a foundation and direction for an ITAM practice that will allow IT to manage risk, optimize spend, and enhance services in line with business requirements. Establish accountability and responsibility for essential ITAM activities. Decide where to centralize or decentralize accountability and authority. Identify where outsourcing could add value. Create a roadmap with concrete, practical next steps to develop an effective, right-sized ITAM practice.

Benefits for the business Plan and control technology spend with confidence based on trustworthy ITAM data. Enhance IT’s ability to rapidly and effectively support new priorities and launch new projects. Effective ITAM can support more streamlined procurement, deployment, and management of assets. Implement security controls that reflect your total technology footprint. Reduce the risk that a forgotten device or unmanaged software turns your organization into the next Colonial Pipeline.

Info-Tech offers various levels of support to best suit your needs

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI around 12 calls over the course of 6 months.

What does a typical GI on this topic look like?

Phase Outcomes:

Defined, business-aligned goals, priorities, and KPIs for ITAM. A concise vision and mission statement. The direction you need to establish a practical, right-sized, effective approach to ITAM for your organization.

Before you get started

0.1 Identify participants

Output: List of key roles for the strategy exercises outlined in this methodology

Participants: Project sponsor, Lead facilitator, ITAM manager and SMEs

This methodology relies on having the right stakeholders in the room to identify ITAM goals, challenges, roles, structure, and more. On each activity slide in this deck, you’ll see an outline of the recommended participants. Use the table below to translate the recommended roles into specific people in your organization. Note that some people may fill multiple roles.

0.2 Estimate asset numbers

Output: Estimates of quantity and spend related to IT assets, Confidence/margin of error on estimates

Participants: IT asset manager, ITAM team

What do you know about your current IT environment, and how confident are you in that knowledge?

0.3 Create a working folder

Output: A repository for templates and work in progress

Participants: Lead facilitator

Download a copy of the ITAM Strategy Template. This will be the repository for all the work you do in the activities listed in this blueprint; take a moment to read it through and familiarize yourself with the contents. House the template in a shared repository that can house other related work in progress. Share this folder with participants so they can check in on your progress. You’ll see this callout box: Add your results to your copy of the ITAM Strategy Template as you work through activities in this blueprint. Copy the output to the appropriate slide in the ITAM Strategy Template.

Collect action items as you go

Don’t wait until the end to write down your good ideas. The last exercise in this methodology is to gather everything you’ve learned and build a roadmap to improve the ITAM practice. The output of the exercises will inform the roadmap, as they will highlight areas with opportunities for improvement. Write them down as you work through the exercises, or you risk forgetting valuable ideas. Keep an “idea space” – a whiteboard with sticky notes or a shared document – to which any of your participants can post an idea for improvement and that you can review and consolidate later. Encourage participants to add their ideas at any time during the exercises.

Step 1.1: Brainstorm ITAM opportunities and challenges

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• ITAM business partners

Outcomes

• Rally the working group around a collection of ideas that, when taken together, create a vision for the future ITAM practice.
• Identify your organization’s current ITAM challenges.

“ITAM is a cultural shift more than a technology shift.” (Rory Canavan, SAM Charter)

What is an IT Asset?

Any piece of technology can be considered an asset, but it doesn’t mean you need to track everything.
	According to the ISO 19770 standard on ITAM, an IT Asset is “[an] item, thing, or entity that can be used to acquire, process, store and distribute digital information and has potential or actual value to an organization.” These are all things that IT is expected to support and manage, or that have the potential to directly impact services that IT supports and manages.
	IT assets are distinct from capital assets. Some IT assets will also be capital assets, but not all will be. And not all capital assets are IT assets, either.
	IT assets are typically tracked by IT, not by finance or accounting. IT needs more from their IT asset tracking system than the typical finance department can deliver. This can include end-user devices, software, IT infrastructure, cloud-based resources, third-party managed IT services, Internet-of-Things devices, embedded electronics, SCADA equipment, “smart” devices, and more.
	It’s important to track IT assets in a way that enables IT to deliver value to the business – and an important part of this is understanding what not to track. This list should be aligned to the needs of your organization.

Enable business value with IT asset management

If you’ve never experienced a mature ITAM program before, it is almost certainly more rewarding than you’d expect once it’s functioning as intended.

Each of the below activities can benefit from accessible, actionable, and accurate ITAM data.

• Which of the activities, practices, and initiatives below have value to your organization?
• Which could benefit most from ITAM data?

1.1 Brainstorm ideas to create a vision for the ITAM practice

Input: Stakeholders with a vision of what ITAM could provide, if resourced and funded adequately

Output: A collection of ideas that, when taken together, create a vision for the future ITAM practice

Materials: ITAM strategy template, Whiteboard or virtual whiteboard

Participants: ITAM team, IT leaders and managers, ITAM business partners

It can be easy to lose sight of long-term goals when you’re stuck in firefighting mode. Let’s get the working group into a forward-looking mindset with this exercise.

Think about what ITAM could deliver with unlimited time, money, and technology.

1. Provide three sticky notes to each participant.
2. Add the headings to a whiteboard, or use a blank slide as a digital whiteboard
3. On each sticky note, ask participants to outline a single idea as follows:
   1. We could: [idea]
   2. Which would help: [stakeholder]
   3. Because: [outcome]
4. Ask participants to present their sticky notes and post them to the whiteboard. Ask later participants to group similar ideas together.

As you hear your peers describe what they hope and expect to achieve with ITAM, a shared vision of what ITAM could be will start to emerge.

1.1 Identify structural ITAM challenges

30 minutes

Input: The list of common challenges on the next slide, Your estimated visibility into IT assets from the previous exercise, The experience and knowledge of your participants

Output: Identify current ITAM challenges

Materials: Your working copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers, ITAM business partners

1.1 Identify structural ITAM challenges

Review and update the list of common challenges below to reflect your own organization.

Copy results to your copy of the ITAM Strategy Template

Step 1.2: Review organizational priorities, strategy, initiatives

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• Business executives or their delegates

Outcomes

• Review organizational priorities and strategy.
• Identify key initiatives.

Executive Alignment Session Overview

ITAM Strategy Working Sessions

• Discover & Brainstorm
• Executive Alignment Working Session
  • 1.2 Review organizational strategy, priorities, and key initiatives
  • 1.3 Align executive priorities with ITAM opportunities, set ITAM priorities
• ITAM Practice Maturity, Vision & Mission, Metrics & KPIs
• Scope, Outsourcing, (De)Centralization, RACI
• Service Management Integration
• ITAM Tools
• Audits, Budgets, Documents
• Roadmap & Comms Plan

A note to the lead facilitator and project sponsor:
Consider working through these exercises by yourself ahead of time. As you do so, you’ll develop your own ideas about where these discussions may go, which will help you guide the discussion and provide examples to participants.

1.2 Review organizational strategy and priorities

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

Participants: Asset manager, IT leadership, Business executives or delegates

Welcome your group to the working session and outline the next few exercises using the previous slide.

Ask the most senior leader present to provide a summary of the following:

1. What is the vision for the organization?
2. What are our priorities and what must we absolutely get right?
3. What do we expect the organization to look like in three years?

The facilitator or a dedicated note-taker should record key points on a whiteboard or flipchart paper.

1.2 Identify transformational initiatives

30 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

Participants: Asset manager, IT leadership, Business executives or delegates

Ask the most senior leader present to provide a summary of the following: What transformative business and IT initiatives are planned? When will they begin and end?

Using one box per initiative, draw the initiatives in a timeline like the one below.

Add your results to your copy of the ITAM Strategy Template

Step 1.3: Set business-aligned ITAM priorities

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• Business executives

Outcomes

• Connect executive priorities to ITAM opportunities.
• Set business-aligned priorities for the ITAM practice.

1.3 Align executive priorities with ITAM opportunities

45 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

Participants: Asset manager, IT leaders and managers, Business executives or delegates

In this exercise, we’ll use the table on the next slide to identify the top priorities of key business and IT stakeholders and connect them to opportunities for the ITAM practice.

1. Ask your leadership or executive delegates – what are their goals? What are they trying to accomplish? List roles and related goals in the table.
2. Brainstorm opportunities for IT asset management to support listed goals:
   1. Can ITAM provide an enhanced level of service, access, or insight?
   2. Can ITAM address an existing issue or mitigate an existing risk?

Add your results to your copy of the ITAM Strategy Template

1.3 Align executive priorities with ITAM opportunities (example)

1.3 Categorize ITAM opportunities

10-15 minutes

Input: The outputs from the previous exercise

Output: Executive priorities, sorted into the three categories at the right

Materials: The table in this slide, The outputs from the previous exercise

Participants: Lead facilitator

Give your participants a quick break. Quickly sort the identified ITAM opportunities into the three main categories below as best you can.

We’ll use this table as context for the next exercise.

Add your results to your copy of the ITAM Strategy Template

1.3 Set ITAM priorities

30 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: Whiteboard, The template on the next slide, Your copy of the ITAM Strategy Template

Participants: Asset manager, IT leaders and managers, Business executives or delegates

The objective of this exercise is to prioritize the outcomes your organization wants to achieve from its ITAM practice, given the context from the previous exercises.

Review the image below. The three points of the triangle are the three core goals of ITAM: Enhance IT Service, Manage Risk, and Optimize Spend. This exercise was first developed by Kylie Fowler of ITAM Intelligence. It is an essential exercise to understand ITAM priorities and the tradeoffs associated with those priorities. These priorities aren’t set in stone and should be revisited periodically as technology and business priorities change.

Draw the diagram on the next slide on a whiteboard. Have the most senior leader in the room place the dot on the triangle – the closer it is to any one of the goals, the more important that goal is to the organization. Note: The center of the triangle is off limits! It’s very rarely possible to deliver on all three at once. Track notes on what’s being prioritized – and why – in the template on the next slide.

Add your results to your copy of the ITAM Strategy Template

1.3 Set ITAM Priorities

The priorities of the ITAM practice are to: Optimize Spend Manage Risk Why? We believe there is significant opportunity right now to rationalize spend by consolidating key software contracts. Major acquisitions are anticipated in the near future. Effective ITAM processes are expected to mitigate acquisition risk by supporting due diligence and streamlined integration of acquired organizations. Ransomware and supply chain security threats have increased demands for a comprehensive accounting of IT assets to support security controls development and security incident response. (Update this section with notes from your discussion.)

Step 1.4: Identify ITAM goals, target maturity

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers

Outcomes

• Connect executive priorities to ITAM opportunities.
• Set business-aligned priorities for the ITAM practice.

“ITAM is really no different from the other ITIL practices: to succeed, you’ll need some ratio of time, treasure, and talent… and you can make up for less of one with more of the other two.” (Jeremy Boerger, Consultant and Author)

1.4 Identify near- and medium-term goals

15-30 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers

Narrow down the list of opportunities to identify specific goals for the ITAM practice.

1. Use one color to highlight opportunities you will seize in the next year.
2. Use a second color to highlight opportunities you plan to address in the next three years.
3. Leave blank anything you don’t intend to address in this timeframe.

The highlighted opportunities are your near- and medium-term objectives.

1.4 Connect ITAM goals to tactics

30 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers

Let’s dig down a little deeper. Connect the list of opportunities from earlier to specific ITAM tactics that allow the team to seize those opportunities.

Add another row to the earlier table for ITAM tactics. Brainstorm tactics with your participants (e.g. sticky notes on a whiteboard) and align them with the priorities they’ll support.

Add your results to your copy of the ITAM Strategy Template

1.4 Identify current and target state

20 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers

We’ll use this exercise to identify the current and one-year target state of ITAM using Info-Tech’s ITAM maturity framework.

1. Review the maturity framework on the next slide as a group.
2. In one color, highlight statements that reflect your organization today. Summarize your current state. Are you in firefighter mode? Between “firefighter” and “trusted operator”?
3. In a second color, highlight statements that reflect where you want to be one year from today, taking into consideration the goals and tactics identified in the last exercise.
4. During a break, copy the highlighted statements to the table on the slide after next, then add this final slide to your working copy of the ITAM Strategy Template.

Add your results to your copy of the ITAM Strategy Template

Establish current and target ITAM maturity

Innovator – Optimized Asset Management All items from Business & Technology Partner, plus: Business and IT stakeholders collaborate regularly with the ITAM team to identify new opportunities to leverage or deploy ITAM practices and data to mitigate risks, optimize spend, and improve service. The ITAM program scales with the business. Business & Technology Partner – Proactive Asset Management All items from Trusted Operator, plus: The ITAM data is integral to decisions related to budget, project planning, IT architecture, contract renewal, and vendor management. Software and cloud assets are reviewed as frequently as required to manage costs. ITAM data consumers have self-serve access to ITAM data. Continuous improvement practices strengthen ITAM efficiency and effectiveness. ITAM processes, standards, and related policies are regularly reviewed and updated. ITAM teams work closely with SMEs for key tools/systems integrated with ITAM (e.g. AD, ITSM, monitoring tools) to maximize the value and reliability of integrations. Trusted Operator – Controls Assets ITAM data for deployed hardware and software is regularly audited for accuracy. Sufficient staff and skills to support asset tracking, including a dedicated IT asset management role. Teams responsible for ITAM data collection cooperate effectively. Policies and procedures are documented and enforced. Key licenses and contracts are available to the ITAM team. Discovery, tracking, and analysis tools support most important use cases. Firefighter – Reactive Asset Tracking Data is often untrustworthy, may be fragmented across multiple repositories, and typically requires significant effort to translate or validate before use. Insufficient staff, fragmented or incomplete policies or documentation. Data tracking processes are extremely highly manual. Effective cooperation for ITAM data collection is challenging. ITAM tools are in place, but additional configuration or tooling is needed. Unreliable - Struggles to Support No data, or data is typically unusable. No allocated staff, no cooperation between parties responsible for ITAM data collection. No related policies or documentation. Tools are non-existent or not fit-for-purpose.

Current and target ITAM maturity

Today: Firefighter Data is often untrustworthy, is fragmented across multiple repositories, and typically requires significant effort to translate or validate before use. Insufficient staff, fragmented or incomplete policies or documentation. Tools are non-existent. In One Year: Trusted Operator ITAM data for deployed hardware and software is regularly audited for accuracy. Sufficient staff and skills to support asset tracking, including a dedicated IT asset management role. Teams responsible for ITAM data collection cooperate effectively. Discovery, tracking, and analysis tools support most important use cases.

Innovator – Optimized Asset Management Business & Technology Partner – Proactive Asset Management Trusted Operator – Controls Assets Firefighter – Reactive Asset Tracking Unreliable - Struggles to Support

Step 1.5: Write mission and vision statements

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers

Outcomes

• Write a mission statement that encapsulates the purpose and intentions of the ITAM practice today.
• Write a vision statement that describes what the ITAM practice aspires to become and achieve.

Write vision and mission statements

Create two statements to summarize the role of the ITAM practice today – and where you want it to be in the future.

1.5 Write an ITAM vision statement

30 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: A whiteboard, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT Leaders and managers

Your vision statement describes the ITAM practice as it will be in the far future. It is a target to aspire to, beyond your ability to achieve in the near or medium term.

Examples of ITAM vision statements:

Develop the single accurate view of IT assets, available to anyone who needs it.

Indispensable data brokers that support strategic decisions on the IT environment.

Provide sticky notes to participants. Write out the three questions below on a whiteboard side by side. Have participants write their answers to the questions and post them below the appropriate question. Give everyone 10 minutes to write and post their ideas.

1. What’s the desired future state of the ITAM practice?
2. What needs to be done to achieved this desired state?
3. How do we want ITAM to be perceived in this desired state?

Review the answers and combine them into one focused vision statement. Use the 20x20 rule: take no more than 20 minutes and use no more than 20 words. If you’re not finished after 20 minutes, the ITAM manager should make any final edits offline.

Document your vision statement in your ITAM Strategy Template.

Add your results to your copy of the ITAM Strategy Template

1.5 Write an ITAM mission statement

30 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers

Your ITAM mission statement is an expression of what your IT asset management function brings to your organization today. It should be presented in straightforward language that is compelling, easy to understand, and sharply focused.

Examples of ITAM mission statements:

Maintain accurate, actionable, accessible on data on all IT assets.

Support IT and the business with centralized and integrated asset data.

Provide sticky notes to participants. Write out the questions below on a whiteboard side by side. Have participants write their answers to the questions and post them below the appropriate question. Give everyone 10 minutes to write and post their ideas.

1. What is our role as the asset management team?
2. How do we support the IT and business strategies?
3. What does our asset management function offer that no one else can?

Review the answers and combine them into one focused vision statement. Use the 20x20 rule: take no more than 20 minutes and use no more than 20 words. If you’re not finished after 20 minutes, the ITAM manager should make any final edits offline.

Document your vision statement in your ITAM Strategy Template.

Add your results to your copy of the ITAM Strategy Template

Step 1.6: Define ITAM metrics and KPIs

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers

Outcomes

• Identify metrics, data, or reports that may be of interest to different consumers of ITAM data.
• Identify the key performance indicators (KPIs) for the ITAM practice, based on the goals and priorities established earlier.

Develop different metrics for different teams

A few examples:

• CIOs — CIOs need asset data to govern technology use, align to business needs, and demonstrate IT value. What do we need to budget for hardware and software in the next year? Where can we find money to support urgent new initiatives? How many devices and software titles do we manage compared to last year? How has IT helped the business achieve key goals?
• Asset Managers — Asset managers require data to help them oversee ITAM processes, technology, and staff, and to manage the fleet of IT assets they’re expected to track. What’s the accuracy rate of ITAM data? What’s the state of integrations between ITAM and other systems and processes? How many renewals are coming up in the next 90 days? How many laptops are in stock?
• IT Leaders — IT managers need data that can support their teams and help them manage the technology within their mandate. What technology needs to be reviewed or retired? What do we actually manage?
• Technicians — Service desk technicians need real-time access to data on IT assets to support service requests and incident management – for example, easy access to the list of equipment assigned to a particular user or installed in a particular location.
• Business Managers and Executives — Business managers and executives need concise, readable dashboards to support business decisions about business use of IT assets. What’s our overall asset spend? What’s our forecasted spend? Where could we reallocate spend?

1.6 Identify useful ITAM metrics and reports

60 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers

Use this exercise to identify as many potentially useful ITAM metrics and reports as possible, and narrow them down to a few high-priority metrics. Leverage the list of example metrics on the next slide for your own exercise. If you have more than six participants, consider splitting into two or more groups, and divide the table between groups to minimize overlap.

1. List potential consumers of ITAM data in the column on the left.
2. What type of information do we think this role needs? What questions about IT assets do we get on a regular basis from this role or team?
3. Review and consolidate the list as a group. Discuss and highlight any metrics the group thinks are a particularly high priority for tracking.

Add your results to your copy of the ITAM Strategy Template

Examples of ITAM metrics

Differentiate between metrics and KPIs

Key performance indicators (KPIs) are metrics with targets aligned to goals. Targets could include one or more of: Target state (e.g. completed) Target magnitude (e.g. number, percent, rate, dollar amount) Target direction (e.g. trending up or down) You may track many metrics, but you should have only a few KPIs (typically 2-3 per objective). A breached KPI should be a trigger to investigate and remediate the root cause of the problem, to ensure progress towards goals and priorities can continue. Which KPIs you track will change over the life of the practice, as ITAM goals and priorities shift. For example, KPIs may initially track progress towards maturing ITAM practices. Once you’ve reached target maturity, KPIs may shift to track whether the key service targets are being met.

1.6 Identify ITAM KPIs

20 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers

Good KPIs are a more objective measure of whether you’re succeeding in meeting the identified priorities for the ITAM practice.

Identify metrics that can measure progress or success against the priorities and goals set earlier. Aim for around three metrics per goal. Identify targets for the metric you think are SMART (specific, measurable, achievable, relevant, and timebound). Track your work using the example table below.

Add your results to your copy of the ITAM Strategy Template

Develop an IT Asset Management Strategy

Phase Outcomes:

Establish an approach to achieving ITAM goals and priorities, including scope, structure, tools, service management integrations, documentation, and more.

Create a roadmap that enables you to realize your approach.

Step 2.1: Define ITAM Scope

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• ITAM business partners

Outcomes

• Establish what types of equipment and software you’ll track through the ITAM practice.
• Establish which areas of the business will be in scope of the ITAM practice.

Determine ITAM Scope

Focus on what’s most important and then document it so everyone understands where they can provide the most value.

2.1 Establish scope for ITAM

45 minutes

Input: Organizational strategy documents

Output: ITAM scope, in terms of types of assets tracked and not tracked

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers, ITAM business partners

Establish the hardware and software that are within the scope of the ITAM program by updating the tables below to reflect your own environment. The “out of scope” category will include asset types that may be of value to track in the future but for which the capability or need don’t exist today.

The following locations will be included in the ITAM program: All North and South America offices and retail locations.

Add your results to your copy of the ITAM Strategy Template

Step 2.2: Acquire ITAM Services

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• ITAM business partners

Outcomes

• Define the type of work that may be more effectively or efficiently delivered by an outsourcer or contractor.

“We would like our clients to come to us with an idea of where they want to get to. Why are you doing this? Is it for savings? Because you want to manage your security attack surface? Are there digital initiatives you want to move forward? What is the end goal?” (Mike Austin, MetrixData 360)

Effectively acquire ITAM services

Allow your team to focus on strategic, value-add activities by acquiring services that free them from commodity tasks. When determining which asset capabilities and activities are best kept in-house and which ones are better handled by a supplier, it is imperative to keep the value to the business in mind. Activities/capabilities that are challenging to standardize and are critical to enabling business goals are better kept in-house. Activities/capabilities that are (or should be) standardized and automated are ideal candidates for outsourcing. Outsourcing can be effective and successful with a narrow scope of engagement and an alignment to business outcomes. Organizations that heavily weigh cost reduction as a significant driver for outsourcing are far less likely to realize the value they expected to receive.

Business Enablement Supports business-aligned ITAM opportunities & priorities Highly specialized Offers competitive advantages

Vendor’s Performance Advantage Talent or access to skills Economies of scale Access to technology Does not require deep knowledge of your business

Decide what to outsource

It’s rarely all or nothing.

2.2 Identify outsourcing opportunities

1-2 hours

Input: Understanding of current ITAM processes and challenges

Output: Understanding of potential outsourcing opportunities

Materials: The table in this slide, and insight in previous slides, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers, ITAM business partners

At a high level, discuss which functions of ITAM are good candidates for outsourcing.

Start with the previous slide for examples of outsourcing activities or capabilities directly related to or adjacent to the ITAM practice. Categorize these activities as follows:

Go through the list of activities to potentially or definitely outsource and confirm:

1. Will outsourcing solve a resourcing need for an existing process, or can you deliver this adequately in-house?
2. Will outsourcing improve the effectiveness and efficiency of current processes? Will it deliver more effective service channels or improved levels of reliability and performance consistency?
3. Will outsourcing provide or enable enhanced service capabilities that your IT customers could use, and which you cannot deliver in-house due to lack of scale or capacity?

Answering “no” to more than one of these questions suggests a need to further review options to ensure the goals are aligned with the potential value of the service offerings available.

Add your results to your copy of the ITAM Strategy Template

Step 2.3: Centralize or decentralize ITAM capabilities

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• ITAM business partners

Outcomes

• Outline where the team(s) responsible for ITAM sit across the organization, who they report to, and who they need to work with across IT and the business.

Align ITAM with IT’s structure

ITAM’s structure will typically align with the larger business and IT structure. The wrong structure will undermine your ability to meet ITAM goals and lead to frustration, missed work, inefficiency, and loss of value.

Which of the four archetypes below reflects the structure you need?

1. Centralized — ITAM is entirely centralized in a single function, which reports into a central IT department.
2. Decentralized — Local IT groups are responsible and accountable for ITAM. They may coordinate informally but do not report to any central team.
3. Hybrid-Shared Services — Local IT can opt in to shared services but must follow centrally set ITAM practices to do so, usually with support from a shared ITAM function.
4. Hybrid-Federated — Local IT departments are free to develop their own approach to ITAM outside of core, centrally set requirements.

Centralized ITAM

Total coordination, control, and oversight

ITAM accountability, policies, tools, standards, and expertise – in this model, they’re all concentrated in a single, specialized IT asset management practice. Accountability, authority, and oversight are concentrated in the central function as well. A central ITAM team will benefit from knowledge sharing and task specialization opportunities. They are a visible single point of contact for ITAM-related questions The central ITAM team will coordinate ITAM activities across the organization to optimize spend, manage risk, and enhance service. Any local IT teams are supported by and directly answerable to the central ITAM team for ITAM activities. There is a single, centrally managed ITAM database. Wherever possible, this database should be integrated with other tools to support cross-solution automation (e.g. integrate AD to automatically reflect user identity changes in the ITAM database). This model drives cross-organization coordination and oversight, but it may not be responsive to specific and nuanced local requirements.

Example: Centralized Direct reporting relationship Dotted line working or reporting relationship

Decentralized ITAM

Maximize choice

Hybrid: Federation

Centralization with a light touch

Hybrid: Shared Services

Optional centralization

Structure data collection & analysis

Consider the implications of structure on data.

Structure budget and contract management

Contract consolidation creates economies of scale for vendor management and license pooling that strengthen your negotiating position with vendors and optimize spend.

Structure technology management

Are there opportunities to centralize or decentralize support functions?

2.3 Review ITAM Structure

1-2 hours

Input: Understanding of current organizational structure, Understanding of challenges and opportunities related to the current structure

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers, ITAM business partners

Outline the current model for your organization and identify opportunities to centralize or decentralize ITAM-related activities.

1. What model best describes how ITAM should be structured in your organization? Modify the slide outlining structure as a group to outline your own organization, as required.
2. In the table below, outline opportunities to centralize or decentralize data tracking, budget and contract management, and technology management activities.

Add your results to your copy of the ITAM Strategy Template

Step 2.4: Create a RACI

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• ITAM business partners

Outcomes

• Review the role of the IT asset manager.
• Identify who’s responsible, accountable, consulted, and informed for key ITAM activities.

Empower your asset manager

The asset manager is the critical ITAM role. Ensure they’re positioned to succeed.

IT asset managers must have a range of skills and knowledge

ITAM Operations, Process, and Practice Management The asset manager is typically responsible for managing and improving the ITAM practice and related processes and tools. The asset manager may administer the ITAM tool, develop reports and dashboards, evaluate and implement new technologies or services to improve ITAM maturity, and more. Organizational Knowledge An effective IT asset manager has a good understanding of your organization and its strategy, products, stakeholders, and culture. Technology & Product Awareness An IT asset manager must learn about new and changing technologies and products adopted by the organization (e.g. IoT, cloud) and develop recommendations on how to track and manage them via the ITAM practice.

People Management Asset managers often manage a team directly and have dotted-line reports across IT and the business. Communication Important in any role, but particularly critical where learning, listening, negotiation, and persuasion are so critical. Finance & Budgeting A foundational knowledge of financial planning and budgeting practices is often helpful, where the asset manager is asked to contribute to these activities. Contract Review & Analysis Analyze new and existing contracts to evaluate changes, identify compliance requirements, and optimize spend.

Assign ITAM responsibilities and accountabilities

2.4 Conduct a RACI Exercise

1-2 hours

Input: An understanding of key roles and activities in ITAM practices, An understanding of your organization, High-level structure of your ITAM program

Output: A RACI diagram for IT asset management

Materials: The table in the next slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers, ITAM business partners

Let’s face it – RACI exercises can be dry. We’ve found that the approach below is more collaborative, engaging, and effective compared to filling out the table as a large group.

1. Create a shared working copy of the RACI charts on the following slides (e.g. write it out on a whiteboard or provide a link to this document and work directly in it).
2. Review the list of template roles and activities as a group. Add, change, or remove roles and activities from the table as needed.
3. Divide into small groups. Assign each group a set of roles, and have them define whether that role is accountable, responsible, consulted, or informed for each activity in the chart. Refer to the previous slide for context on RACI. Give everyone 15 minutes to update their section of the chart.
4. Come back together as a large group to review the chart. First, check for accountability – there should generally be just one role accountable for each activity. Then, have each small group walk through their section, and encourage participants to ask questions. Is there at least one role responsible for each task, and what are they responsible for? Does everyone listed as consulted or informed really need to be? Make any necessary adjustments.

Add your results to your copy of the ITAM Strategy Template

Define ITAM governance activities

Document asset management responsibilities and accountabilities

Step 2.5: Align ITAM with other Service Management Practices

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers

Outcomes

• Establish shared and separate responsibilities for asset and configuration management.
• Identify how ITAM can support other practices, and how other practices can support ITAM.

Asset vs. Configuration

• IT asset management tends to focus on each IT asset in its own right: assignment or ownership, its lifecycle, and related financial obligations and entitlements.
• Configuration management is focused on configuration items (CIs) that must be managed to deliver a service and the relationships and integrations to other CIs.
• ITAM and configuration management teams and practices should work closely together. Though asset and configuration management focus on different outcomes, they tend use overlapping tools and data sets. Each practice, when working effectively, can strengthen the other.
• Many objects will exist in both the CMDB and AMDB, and the data on those shared objects will need to be kept in sync.

Configuration Management Database (CMDB) A database of uniquely identified configuration items (CIs). Each CI record may include information on: Service Attributes Supported Service(s) Service Description, Criticality, SLAs Service Owners Data Criticality/Sensitivity CI Relationships Physical Connections Logical Connections Dependencies		Discovery, Normalization, Dependency Mapping, Business Rules* Manual Data Entry This shared information could be attached to asset records, CI records, or both, and it should be synchronized between the two databases where it’s tracked in both. Hardware Information Serial, Model and Specs Network Address Physical Location Software Installations Hypervisor & OS Middleware & Software Software Configurations		Asset Management Database (AMDB) A database of uniquely identified IT assets. Each asset record may include information on: Procurement/Purchasing Purchase Request/Purchase Order Invoice and Cost Cost Center Vendor Contracts and MSAs Support/Maintenance/Warranties Asset Attributes Model, Title, Product Info, License Key Assigned User Lifecycle Status Last ITAM Audit Date Certificate of Disposal
IT Security Systems Vulnerability Management Threat Management SIEM Endpoint Protection		IT Service Management (ITSM) System Change Tickets Request Tickets Incident Tickets Problem Tickets Project Tickets Knowledgebase		Financial System/ERP General Ledger Accounts Payable Accounts Receivable Enterprise Assets Enterprise Contract Database

2.5 Integrate ITAM and configuration practices

45 minutes

Input: Knowledge of the organization’s configuration management processes

Output: Define how ITAM and configuration management will support one another

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers, Configuration manager

Work through the table below to identify how you will collaborate and synchronize data across ITAM and configuration management practices and tools.

Add your results to your copy of the ITAM Strategy Template

ITAM supports service management

Decoupling asset management from other service management practices can result in lost value. Establish how asset management can support other service management practices – and how those practices can support ITAM.

2.5. Connect with other IT service practices

45 minutes

Input: Knowledge of existing organizational IT service management processes

Output: Define how ITAM will help other service management processes, and how other service management processes will help ITAM

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers, Service leads

Complete the table below to establish what ITAM can provide to other service management practices, and what other practices can provide to ITAM.

Add your results to your copy of the ITAM Strategy Template

Step 2.6: Evaluate ITAM tools and integrations

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers

Outcomes

• Create a list of the ITAM tools currently in use, how they’re used, and their current limitations.
• Identify new tools that could provide value to the ITAM practice, and what needs to be done to acquire and implement them.

“Everything is connected. Nothing is also connected.” (Dirk Gently’s Holistic Detective Agency)

Establish current strengths and gaps in your ITAM toolset

2.6 Evaluate ITAM existing technologies

30 minutes

Input: Knowledge of existing ITAM tools

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers

Identify the use, limitations, and next steps for existing ITAM tools, including those not directly managed by the ITAM team.

1. What tools do we have today?
2. What are they used for? What are their limitations?
3. Who manages them?
4. What actions could we take to maximize the value of the tools?

Add your results to your copy of the ITAM Strategy Template

2.6 Identify potential new tools

30 minutes

Input: Knowledge of tooling gaps, An understanding of available tools that could remediate gaps

Output: New tools that can improve ITAM capabilities, including expected value and proposed next steps

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers

Identify tools that are required to support the identified goals of the ITAM practice.

1. What types of tools do we need that we don’t have?
2. What could these tools help us do?
3. What needs to be done next to investigate or acquire the appropriate tool?

Add your results to your copy of the ITAM Strategy Template

Step 2.7: Create a plan for internal and external audits

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• ITAM business partners

Outcomes

• Establish your approach to internal data audits.
• Create a high-level response plan for external audits.

Validate ITAM data via internal audits

Data audits provide assurance that the records in the ITAM database are as accurate as possible. Consider these three approaches:

2.7 Set an approach to internal data audits

30 minutes

Input: An understanding of current data audit capabilities and needs

Output: An outline of how you’ll approach data audits, including frequency, scope, required resources

Materials: Your copy of the ITAM Strategy Template

Participants: ITAM team

Review the three internal data audit approaches outlined on the previous slide, and identify which of the three approaches you’ll use. For each approach, complete the fields in the table below.

Add your results to your copy of the ITAM Strategy Template

Prepare for and respond to external audits and true-ups

Are you ready when software vendors come knocking?

Identify areas of higher audit risk

Develop an audit response plan

2.7 Clarify your vendor audit response plan

1 hour

Input: Organizational knowledge on your current audit response procedures

Output: Audit response team membership, High-level audit checklist, A list of things to start, stop, and continue doing as part of the audit response

Materials: Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers, ITAM business partners

1. Who’s on the audit response team, and what’s their role? Who will lead the team? Who will be the point of contact with the auditor?
2. What are the high-level steps in our audit response workflow? Use the example checklist below as a starting point.
3. What do we need to start, stop, and continue doing in response to audit requests?

Example Audit Checklist

• Bring the audit request received to the attention of ITAM and IT leadership. Assemble the response team.
• Acknowledge receipt of audit notice.
• Negotiate timing and scope of the audit.
• Direct staff not to remove or acquire licenses for software under audit without directly involving the ITAM team first.
• Gather installation data and documentation to establish current entitlements, including original contract, current contract, addendums, receipts, invoices.
• Compare entitlements to installed software.
• Investigate any anomalies (e.g. unexpected or non-compliant software).
• Review results with the audit response team.

Add your results to your copy of the ITAM Strategy Template

Step 2.8: Improve budget processes

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• ITAM business partners

Outcomes

• Identify what you need to start, stop, and continue to do to support budgeting processes.

Improve budgeting and forecasting

Insert ITAM into budgeting processes to deliver significant value.

Some examples of what ITAM can bring to the budgeting table: Trustworthy data on deployed assets and spending obligations tied to those assets. Projections of hardware due for replacement in terms of quantity and spend. Knowledge of IT hardware and software contract terms and pricing. Lists of unused or underused hardware and software that could be redeployed to avoid spend. Comparisons of spend year-over-year. Being part of the budgeting process positions ITAM for success in other ways: Helps demonstrate the strategic value of the ITAM practice. Provides insight into business and IT strategic projects and priorities for the year. Strengthens relationships with key stakeholders, and positions the ITAM team as trusted partners.

“Knowing what you have [IT assets] is foundational to budgeting, managing, and optimizing IT spend.” (Dave Kish, Info-Tech, Practice Lead, IT Financial Management)

2.8 Build better budgets

20 minutes

Input: Context on IT budgeting processes

Output: A list of things to start, stop, and continue doing as part of budgeting exercises

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers, ITAM business partners

What should we start, stop, and continue doing to support organizational budgeting exercises?

Add your results to your copy of the ITAM Strategy Template

Step 2.9: Establish a documentation framework

Participants

• Project sponsor and lead facilitator
• ITAM team

Outcomes

• Identify key documentation and gaps in your documentation.
• Establish where documentation should be stored, who should own it, who should have access, and what should trigger a review.

Create ITAM documentation

ITAM documentation will typically support governance or operations.

Consider ITAM policies

2.9 Establish documentation gaps

15-30 minutes

Input: An understanding of existing documentation gaps and risks

Output: Documentation gaps, Identified owners, repositories, access rights, and review/update protocols

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, Optional: IT managers, ITAM business partners

Discuss and record the following:

• What planning/governance, operational, and tooling documentation do we still need to create? Who is accountable for the creation and maintenance of these documents?
• Where will the documentation be stored? Who can access these documents?
• What will trigger reviews or changes to the documents?

Add your results to your copy of the ITAM Strategy Template

Step 2.10: Create a roadmap and communication plan

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers

Outcomes

• A timeline of key ITAM initiatives.
• Improvement ideas aligned to key initiatives.
• A communication plan tailored to key stakeholders.
• Your ITAM Strategy document.

“Understand that this is a journey. This is not a 90-day project. And in some organizations, these journeys could be three or five years long.” (Mike Austin, MetrixData 360)

2.10 Identify key ITAM initiatives

30-45 minutes

Input: Organizational strategy documents

Output: A roadmap that outlines next steps

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers, Project sponsor

1. Identify key initiatives that are critical to improving practice maturity and meeting business goals.
2. There should only be a handful of really key initiatives. This is the work that will have the greatest impact on your ability to deliver value. Too many initiatives muddy the narrative and can distract from what really matters.
3. Plot the target start and end dates for each initiative in the business and IT transformation timeline you created in Phase 1.
4. Review the chart and consider – what new capabilities should the ITAM practice have once the identified initiatives are complete? What transformational initiatives will you be better positioned to support?

Add your results to your copy of the ITAM Strategy Template

Transformation Timeline

2.10 Align improvement ideas to initiatives

45 minutes

Input: Key initiatives, Ideas for ITAM improvement collected over the course of previous exercises

Output: Concrete action items to support each initiative

Materials: The table in the next slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers, Project sponsor

As you’ve been working through the previous exercises, you have been tracking ideas for improvement – now we’ll align them to your roadmap.

1. Review the list of ideas for improvement you’ve produced over the working sessions. Consolidate the list – are there any ideas that overlap or complement each other? Record any new ideas. Frame each idea as an action item – something you can actually do.
2. Connect the action items to initiatives. It may be that not every action item becomes part of a key initiative. (Don’t lose ideas that aren’t part of key initiatives – track them in a separate burndown list or backlog.)
3. Identify a target completion date and owner for each action item that’s part of an initiative.

Add your results to your copy of the ITAM Strategy Template

Example ITAM initiatives

2.10 Create a communication plan

45 minutes

Input: Proposed ITAM initiatives, Stakeholder priorities and goals, and an understanding of how ITAM can help them meet those goals

Output: A high-level communication plan to communicate the benefits and impact of proposed changes to the ITAM program

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: IT asset manager, Project sponsor

Develop clear, consistent, and targeted messages to key ITAM stakeholders.

1. Modify the list of stakeholders in the first column.
2. What benefits should those stakeholders realize from ITAM? What impact may the proposed improvements have on them? Refer back to exercises from Phase 1, where you identified key stakeholders, their priorities, and how ITAM could help them.
3. Identify communication channels (in-person, email, all-hands meeting, etc.) and timing – when you’ll distribute the message. You may choose to use more than one channel, and you may need to convey the message more than once.

Add your results to your copy of the ITAM Strategy Template

2.10 Put the final touches on your ITAM Strategy

30 minutes

Input: Proposed ITAM initiatives, Stakeholder priorities and goals, and an understanding of how ITAM can help them meet those goals

Output: A high-level communication plan to communicate the benefits and impact of proposed changes to the ITAM program

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: IT asset manager, Project sponsor

You’re almost done! Do a final check of your work before you send a copy to your participants.

1. Summarize in three points the key findings from the activities you’ve worked through. What have you learned? What are your priorities? What key message do you need to get across? Add these to the appropriate slide near the start of the ITAM Strategy Template.
2. What are your immediate next steps? Summarize no more than five and add them to the appropriate slide near the start of the ITAM Strategy Template.
   1. Are you asking for something? Approval for ITAM initiatives? Funding? Resources? Clearly identify the ask as part of your next steps.
3. Are the KPIs identified in Phase 1 still valid? Will they help you monitor for success in the initiatives you’ve identified in Phase 2? Make any adjustments you think are required to the KPIs to reflect the additional completed work.

Add your results to your copy of the ITAM Strategy Template

Research Contributors and Experts

Research Contributors and Experts

Bibliography

“Asset Management.” SFIA v8. Accessed 17 March 2022.

Boerger, Jeremy. Rethinking IT Asset Management. Business Expert Press, 2021.

Canavan, Rory. “C-Suite Cheat Sheet.” SAM Charter, 2021. Accessed 17 March 2022.

Fisher, Matt. “Metrics to Measure SAM Success.” Snow Software, 26 May 2015. Accessed 17 March 2022.

Flexera (2021). “State of ITAM Report.” Flexera, 2021. Accessed 17 March 2022.

Fowler, Kylie. “ITAM by design.” BCS, The Chartered Institute for IT, 2017. Accessed 17 March 2022.

Fowler, Kylie. “Ch-ch-ch-changes… Is It Time for an ITAM Transformation?” ITAM Intelligence, 2021. Web. Accessed 17 March 2022.

Fowler, Kylie. “Do you really need an ITAM policy?” ITAM Accelerate, 15 Oct. 2021. Accessed 17 March 2022.

Hayes, Chris. “How to establish a successful, long-term ITAM program.” Anglepoint, Sept. 2021. Accessed 17 March 2022.

ISO/IEC 19770-1-2017. IT Asset Management Systems – Requirements. Third edition. ISO, Dec 2017.

Joret, Stephane. “IT Asset Management: ITIL® 4 Practice Guide”. Axelos, 2020.

Jouravlev, Roman. “IT Service Financial Management: ITIL® 4 Practice Guide”. Axelos, 2020.

Pagnozzi, Maurice, Edwin Davis, Sam Raco. “ITAM Vs. ITSM: Why They Should Be Separate.” KPMG, 2020. Accessed 17 March 2022.

Rumelt, Richard. Good Strategy, Bad Strategy. Profile Books, 2013.

Stone, Michael et al. “NIST SP 1800-5 IT Asset Management.” Sept, 2018. Accessed 17 March 2022.

Present Security to Executive Stakeholders

Learn how to communicate security effectively to obtain support from decision makers.

Analyst Perspective

Build and deliver an effective security communication to your executive stakeholders.

As a security leader, you’re tasked with various responsibilities to ensure your organization can achieve its goals while its most important assets are being protected. However, when communicating security to executive stakeholders, challenges can arise in determining what topics are pertinent to present. Changes in the security threat landscape coupled with different business goals make identifying how to present security more challenging. Having a communication framework for presenting security to executive stakeholders will enable you to effectively identify, develop, and deliver your communication goals while obtaining the support you need to achieve your objectives. Ahmad Jowhar Research Specialist, Security & Privacy Info-Tech Research Group

Executive Summary

Info-Tech Insight

Security presentations are not a one-way street. The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

Your challenge

As a security leader, you need to communicate security effectively to executive stakeholders in order to obtain support for your security objectives.

• When it comes to presenting security to executive stakeholders, many security leaders find it challenging to convey the necessary information in order to obtain support for security objectives.
• This is attributed to various factors, such as an increase in the threat landscape, changes to industry regulations and standards, and new organizational goals that security has to align with.
• Furthermore, with the limited time to communicate with executive stakeholders, both in frequency and duration, identifying the most important information to address can be challenging.

76% of security leaders struggle in conveying the effectiveness of a cybersecurity program.

62% find it difficult to balance the risk of too much detail and need-to-know information.

41% find it challenging to communicate effectively with a mixed technical and non-technical audience.

Source: Deloitte, 2022

Common obstacles

There is a disconnect between security leaders and executive stakeholders when it comes to the security posture of the organization:

• Executive stakeholders are not confident that their security leaders are doing enough to mitigate security risks.
• The issue has been amplified, with security threats constantly increasing across all industries.
• However, security leaders don’t feel that they are in a position to make themselves heard.
• The lack of organizational security awareness and support from cross-functional departments has made it difficult to achieve security objectives (e.g. education, investments).
• Defining an approach to remove that disconnect with executive stakeholders is of utmost importance for security leaders, in order to improve their organization’s security posture.

9% of boards are extremely confident in their organization’s cybersecurity risk mitigation measures.

77% of organizations have seen an increase in the number of attacks in 2021.

56% of security leaders claimed their team is not involved when leadership makes urgent security decisions.

Source: EY, 2021

Info-Tech’s methodology for presenting security to executive stakeholders

Develop a structured process for communicating security to your stakeholders

Security presentations are not a one-way street
The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

Identifying your goals is the foundation of an effective presentation
Defining your drivers and goals for communicating security will enable you to better prepare and deliver your presentation, which will help you obtain your desired outcome.

Harness the power of data
Leveraging data and analytics will help you provide quantitative-based communication, which will result in a more meaningful and effective presentation.

Take your audience on a journey
Developing a storytelling approach will help engage with your audience.

Win your audience by building a rapport
Establishing credibility and trust with executive stakeholders will enable you to obtain their support for security objectives.

Tactical insight
Conduct background research on audience members (i.e. professional background) to help understand how best to communicate with them and overcome potential objections.

Tactical insight
Verifying your objectives at the end of the communication is important, as it ensures you have successfully communicated to executive stakeholders.

Project deliverables

This blueprint is accompanied by a supporting deliverable which includes five security presentation templates.

Report on Security Initiatives Template showing how to inform executive stakeholders of security initiatives.		Security Metrics Template showing how to inform executive stakeholders of current security metrics that would help drive future initiatives.
Security Incident Response & Recovery Template showing how to inform executive stakeholders of security incidents, their impact, and the response plan.		Security Funding Request Template showing how to inform executive stakeholders of security incidents, their impact, and the response plan.

Key template:

Template showing how to inform executive stakeholders of proactive security and risk initiatives.

Blueprint benefits

Measure the value of this blueprint

* The financial figure depicts the annual salary of a CISO in 2022

Source: Chief Information Security Officer Salary.” Salary.com, 2022

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Phase 1

Identify communication goals

This phase will walk you through the following activities:

• Understanding the different drivers for communicating security to executive stakeholders
• Identifying different communication goals

This phase involves the following participants:

• Security leader

1.1. Identify drivers for communicating to executive stakeholders

As a security leader, you meet with executives and stakeholders with diverse backgrounds, and you aim to showcase your organization’s security posture along with its alignment with the business’ goals.

However, with the constant changes in the security threat landscape, demands and drivers for security could change. Thus, understanding potential drivers that will influence your communication will assist you in developing and delivering an effective security presentation.

39% of organizations had cybersecurity on the agenda of their board’s quarterly meeting.

Source: EY, 2021.

Info-Tech Insight

Not all security presentations are the same. Keep your communication strategy and processes agile.

Know your drivers for security presentations

By understanding the influences for your security presentations, you will be able to better plan what to present to executive stakeholders.

• These meetings, which are usually held once per quarter, provide you with less than one hour of presentation time.
• Hence, it is crucial to know why you need to present security and whether these drivers are similar across the other presentations.

Understanding drivers will also help you understand how to present security to executive stakeholders.

• These drivers will shape the structure of your presentation and help determine your approach to communicating your goals.
• For example, financial-based presentations that are driven by budget requests might create a sense of urgency or assurance about investment in a security initiative.

Identify your communication drivers, which can stem from various initiatives and programs, including:

• Results from internal or external audit reports.
• Upcoming budget meetings.
• Briefing newly elected executive stakeholders on security.

When it comes to identifying your communication drivers, you can collaborate with subject matter experts, like your corporate secretary or steering committees, to ensure the material being communicated will align with some of the organizational goals.

Examples of drivers for security presentations

Audit
Upcoming internal or external audits might require updates on the organization’s compliance

Organizational restructuring
Restructuring within an organization could require security updates

Merger & Acquisition
An M&A would trigger presentations on organization’s current and future security posture

Cyber incident
A cyberattack would require an immediate presentation on its impact and the incident response plan

Ad hoc
Provide security information requested by stakeholders

1.2. Define your goals for communicating to executives

After identifying drivers for your communication, it’s important to determine what your goals are for the presentation.

• Communication drivers are mainly triggers for why you want to present security.
• Communication goals are the potential outcomes you are hoping to obtain from the presentation.
• Your communication goals would help identify what data and metrics to include in your presentation, the structure of your communication deck, and how you deliver your communication to executive stakeholders.

Identifying your communication goals could require the participation of the security team, IT leadership, and other business stakeholders.

• As a group, brainstorm the security goals that align with your business goals for the coming year.
  • Aim to have at least two business goals that align with each security goal.
• Identify what benefits and value the executive stakeholders will gain from the security goal being presented.
  • E.g. Increased security awareness, updates on organization's security posture.
• Identify what the ask is for this presentation.
  • E.g. Approval for increasing budget to support security initiatives, executive support to implement internal security programs.

Info-Tech Insight

There can be different reasons to communicate security to executive stakeholders. You need to understand what you want to get out of your presentation.

Examples of security presentation goals

Educate
Educate the board on security trends and/or latest risks in the industry

Update
Provide updates on security initiatives, relevant security metrics, and compliance posture

Inform
Provide an incident response plan due to a security incident or deliver updates on current threats and risks

Investment
Request funding for security investments or financial updates on past security initiatives

Ad hoc
Provide security information requested by stakeholders

Phase 2

Collect information to support goals

This phase will walk you through the following activities:

• Understanding what types of data to include in your security presentations
• Defining where and how to retrieve data

This phase involves the following participants:

• Security leader
• Network/security analyst

2.1 Identify data to collect

After identifying drivers and goals for your communication, it’s important to include the necessary data to justify the information being communicated.

• Leveraging data and analytics will assist in providing quantitative-based communication, which will result in a more meaningful and effective presentation.
• The data presented will showcase the visibility of an organization’s security posture along with potential risks and figures on how to mitigate those risks.
• Providing analysis of the quantitative data presented will also showcase further insights on the figures, allow the audience to better understand the data, and show its relevance to the communication goals.

Identifying data to collect doesn’t need to be a rigorous task; you can follow these steps to help you get started:

• Work with your security team to identify the main type of data applicable to the communication goals.
  • E.g. Financial data would be meaningful to use when communicating a budget presentation.
• Identify supporting data linked to the main data defined.
  • E.g. If a financial investment is made to implement a security initiative, then metrics on improvements to the security posture will be relevant.
• Show how both the main and supporting data align with the communication goals.
  • E.g. Improvement in security posture would increase alignment with regulation standards, which would result in additional contracts being awarded and increased revenue.

Info-Tech Insight

Understand how to present your information in a way that will be meaningful to your audience, for instance by quantifying security risks in financial terms.

Examples of data to present

Educate
Number of organizations in industry impacted by data breaches during past year; top threats and risks affecting the industries

Update
Degree of compliance with standards (e.g. ISO-27001); metrics on improvement of security posture due to security initiatives

Inform
Percentage of impacted clients and disrupted business functions; downtime; security risk likelihood and financial impact

Investment
Capital and operating expenditure for investment; ROI on past and future security initiatives

Ad hoc
Number of security initiatives that went over budget; phishing test campaign results

2.2 Plan how to retrieve the data

Once the data that is going to be used for the presentation has been identified, it is important to plan how the data can be retrieved, processed, and shared.

• Most of the data leveraged for security presentations are structured data, which are highly organized data that are often stored in a relational and easily searchable database.
  • This includes security log reports or expenditures for ongoing and future security investments.
• Retrieving the data, however, would require collaboration and cooperation from different team members.
• You would need to work with the security team and other appropriate stakeholders to identify where the data is stored and who the data owner is.

Once the data source and owner has been identified, you need to plan how the data would be processed and leveraged for your presentation

• This could include using queries to retrieve the relevant information needed (e.g. SQL, Microsoft Excel).
• Verify the accuracy and relevance of the data with other stakeholders to ensure it is the most appropriate data to be presented to the executive stakeholders.

Info-Tech Insight

Using a data-driven approach to help support your objectives is key to engaging with your audience.

Plan where to retrieve the data

Identifying the relevant data sources to retrieve your data and the appropriate data owner enables efficient collaboration between departments collecting, processing, and communicating the data and graphics to the audience.

Examples of where to retrieve your data

Phase 3

Develop communication

This phase will walk you through the following activities:

• Identifying a communication strategy for presenting security
• Identifying security templates that are applicable to your presentation

This phase involves the following participants:

• Security leader

3.1 Plan communication: Know who your audience is

• When preparing your communication, it's important to understand who your target audience is and to conduct background research on them.
• This will help develop your communication style and ensure your presentation caters to the expected audience in the room.

Examples of two profiles in a boardroom

3.1.1 Know what your audience cares about

• Understanding what your executive stakeholders value will equip you with the right information to include in your presentations.
• Ensure you conduct background research on your audience to assist you in knowing what their potential interests are.
• Your background research could include:
  • Researching the audience’s professional background through LinkedIn.
  • Reviewing their comments from past executive meetings.
  • Researching current security trends that align with organizational goals.
• Once the values and risks have been identified, you can document them in notes and share the notes with subject matter experts to verify if these values and risks should be shared in the coming meetings.

A board’s purpose can include the following:

• Sustaining and expanding the organization’s purpose and ability to execute in a competitive market.
• Determining and funding the organization’s future and direction.
• Protecting and increasing shareholder value.
• Protecting the company’s exposure to risks.

Examples of potential values and risks

• Business impact
• Financial impact
• Security and incidents

Info-Tech Insight
Conduct background research on audience members (e.g. professional background on LinkedIn) to help understand how best to communicate to them and overcome potential objections.

Understand your audience’s concerns

• Along with knowing what your audience values and cares about, understanding their main concerns will allow you to address those items or align them with your communication.
• By treating your executive stakeholders as your project sponsors, you would build a level of trust and confidence with your peers as the first step to tackling their concerns.
• These concerns can be derived from past stakeholder meetings, recent trends in the industry, or strategic business alignments.
• After capturing their concerns, you’ll be equipped with the necessary understanding on what material to include and prioritize during your presentations.

Examples of potential concerns for each profile of executive stakeholders

Build your presentation to tackle their main concerns

Your presentation should be well-rounded and compelling when it addresses the board’s main concerns about security.

Checklist:

• Research your target audience (their backgrounds, board composition, dynamics, executive team vs. external group).
• Include value and risk language in your presentation to appeal to your audience.
• Ensure your content focuses on one or more of the board’s main concerns with security (e.g. business impact, investments, or risk).
• Include information about what is in it for them and the organization.
• Research your board’s composition and skillsets to determine their level of technical knowledge and expertise. This helps craft your presentation with the right amount of technology vs. business-facing information.

Info-Tech Insight
The executive stakeholder’s main concerns will always boil down to one important outcome: providing a level of confidence to do business through IT products, services, and systems – including security.

3.1.2 Take your audience through a security journey

• Once you have defined your intended target and their potential concerns, developing the communication through a storytelling approach will be the next step to help build a compelling presentation.
• You need to help your executive stakeholders make sense of the information being conveyed and allow them to understand the importance of cybersecurity.
• Taking your audience through a story will allow them to see the value of the information being presented and better resonate with its message.
• You can derive insights for your storytelling presentation by doing the following:
  • Provide a business case scenario on the topic you are presenting.
  • Identify and communicate the business problem up front and answer the three questions (why, what, how).
  • Quantify the problems in terms of business impact (money, risk, value).

Info-Tech Insight
Developing a storytelling approach will help keep your audience engaged and allow the information to resonate with them, which will add further value to the communication.

Identify the purpose of your presentation

You should be clear about your bottom line and the intent behind your presentation. However, regardless of your bottom line, your presentation must focus on what business problems you are solving and why security can assist in solving the problem.

Examples of communication goals

Info-Tech Insight
Nobody likes surprises. Communicate early and often. The board should be pre-briefed, especially if it is a difficult subject. This also ensures you have support when you deliver a difficult message.

Gather the right information to include in your boardroom presentation

Once you understand your target audience, it’s important to tailor your presentation material to what they will care about.

Typical IT boardroom presentations include:

• Communicating the value of ongoing business technology initiatives.
• Requesting funds or approval for a business initiative that IT is spearheading.
• Security incident response/Risk/DRP.
• Developing a business program or an investment update for an ongoing program.
• Business technology strategy highlights and impacts.
• Digital transformation initiatives (value, ROI, risk).

Info-Tech Insight
You must always have a clear goal or objective for delivering a presentation in front of your board of directors. What is the purpose of your board presentation? Identify your objective and outcome up front and tailor your presentation’s story and contents to fit this purpose.

Info-Tech Insight
Telling a good story is not about the message you want to deliver but the one the executive stakeholders want to hear. Articulate what you want them to think and what you want them to take away, and be explicit about it in your presentation. Make your story logically flow by identifying the business problem, complication, the solution, and how to close the gap. Most importantly, communicate the business impacts the board will care about.

Structure your presentation to tell a logical story

To build a strong story for your presentation, ensure you answer these three questions:

Examples:

Scenario 1: The company has experienced a security incident.

Intent: To inform/educate the board about the security incident.

Scenario 2: Security is recommending investments based on strategic priorities.

Intent: To reach a decision with the board – approve investment proposal.

Time plays a key role in delivering an effective presentation

What you include in your story will often depend on how much time you have available to deliver the message.

Consider the following:

• Presenting to executive stakeholders often means you have a short window of time to deliver your message. The average executive stakeholder presentation is 15 minutes, and this could be cut short due to other unexpected factors.
• If your presentation is too long, you risk overwhelming or losing your audience. You must factor in the time constraints when building your board presentation.
• Your executive stakeholders have a wealth of experience and knowledge, which means they could jump to conclusions quickly based on their own experiences. Ensure you give them plenty of background information in advance. Provide your presentation material, a brief, or any other supporting documentation before the meeting to show you are well prepared.
• Be prepared to have deep conversations about the topic, but respect that the executive stakeholders might not be interested in hearing the tactical information. Build an elevator pitch, a one-pager, back-up slides that support your ask and the story, and be prepared to answer questions within your allotted presentation time to dive deeper.

Navigating through Q&A

Use the Q&A portion to build credibility with the board.

• It is always better to say, “I’m not certain about the answer but will follow up,” than to provide false or inaccurate information on the spot.
• When asked challenging or irrelevant questions, ensure you have an approach to deflect them. Questions can often be out of scope or difficult to answer in a group. Find what works for you to successfully navigate through these questions:
  • “Let’s work with the sub-committee to find you an answer.”
  • “Let’s take that offline to address in more detail.”
  • “I have some follow-up material I can provide you to discuss that further after our meeting.”
• And ensure you follow up! Make sure to follow through on your promise to provide information or answers after the meeting. This helps build trust and credibility with the board.

Info-Tech Insight
The average board presentation is 15 minutes long. Build no more than three or four slides of content to identify the business problem, the business impacts, and the solution. Leave five minutes for questions at the end, and be prepared with back-up slides to support your answers.

Storytelling checklist

Checklist:

• Tailor your presentation based on how much time you have.
• Find out ahead of time how much time you have.
• Identify if your presentation is to inform/educate or reach a decision.
• Identify and communicate the business problem up front and answer the three questions (why, what, how).
• Express the problem in terms of business impact (risk, value, money).
• Prepare and send pre-meeting collateral to the members of the board and executive team.
• Include no more than 5-6 slides for your presentation.
• Factor in Q&A time at the end of your presentation window.
• Articulate what you want them to think and what you want them to take away – put it right up front and remind them at the end.
• Have an elevator speech handy – one or two sentences and a one-pager version of your story.
• Consider how you will build your relationship with the members outside the boardroom.

3.1.3 Build a compelling communication document

Once you’ve identified your communication goals, data, and plan to present to your stakeholders, it’s important to build the compelling communication document that will attract all audiences.

A good slide design increases the likelihood that the audience will read the content carefully.

• Bad slide structure (flow) = Audience loses focus
  • You can have great content on a slide, but if a busy audience gets confused, they’ll just close the file or lose focus. Structure encompasses horizontal and vertical logic.
• Good visual design = Audience might read more
  • Readers will probably skim the slides first. If the slides look ugly, they will already have a negative impression. If the slides are visually appealing, they will be more inclined to read carefully. They may even use some slides to show others.
• Good content + Good structure + Visual appeal = Good presentation
  • A presentation is like a house. Good content is the foundation of the house. Good structure keeps the house strong. Visual appeal differentiates houses.

Slide design best practices

Leverage these slide design best practices to assist you in developing eye-catching presentations.

• Easy to read: Assume reader is tight on time. If a slide looks overwhelming, the reader will close the document.
• Concise and clear: Fewer words = more skim-able.
• Memorable: Use graphics and visuals or pithy quotes whenever you can do so appropriately.
• Horizontal logic: Good horizontal logic will have slide titles that cascade into a story with no holes or gaps.
• Vertical logic: People usually read from left to right, top to bottom, or in a Z pattern. Make sure your slide has an intuitive flow of content.
• Aesthetics: People like looking at visually appealing slides, but make sure your attempts to create visual appeal do not detract from the content.

Your presentation must have a logical flow

Vertical logic should be intuitive

The audience is unsure where to look and in what order.	The audience knows to read the heading first. Then look within the pie chart. Then look within the white boxes to the right.

Horizontal and vertical logic checklists

Make it easy to read

Unnecessary coloring makes it hard on the eyes Margins for title at top is too small Content is not skim-able (best to break up the slide)	Increase skim-ability: Emphasize the subheadings Bold important words Make it easier on the eyes: Declutter and add sections Have more white space

Be concise and clear

1. Write your thoughts down
   • This gets your content documented.
   • Don’t worry about clarity or concision yet.
2. Edit for clarity
   • Make sure the key message is very clear.
   • Find your thesis statement.
3. Edit for concision
   • Remove unnecessary words.
   • Use the active voice, not passive voice (see below for examples).

Be memorable

Easy to read, but hard to remember the stats.	The visuals make it easier to see the size of the problem and make it much more memorable. Remember to: Have some kind of visual (e.g. graphs, icons, tables). Divide the content into sections. Have a bit of color on the page.

Aesthetics

This draft slide is just content from the outline document on a slide with no design applied yet.	Have some kind of visual (e.g. graphs, icons, tables) as long as it’s appropriate. Divide the content into sections. Have a bit of color on the page. Bold or italicize important text.

Why use visuals?

How graphics affect us

Cognitively

• Engage our imagination
• Stimulate the brain
• Heighten creative thinking
• Enhance or affect emotions

Emotionally

• Enhance comprehension
• Increase recollection
• Elevate communication
• Improve retention

Visual clues

• Help decode text
• Attract attention
• Increase memory

Persuasion

• 43% more effective than text alone

Source: Management Information Systems Research Center

Presentation format

Often stakeholders prefer to receive content in a specific format. Make sure you know what you require so that you are not scrambling at the last minute.

• Is there a standard presentation template?
• Is a hard-copy handout required?
• Is there a deadline for draft submission?
• Is there a deadline for final submission?
• Will the presentation be circulated ahead of time?
• Do you know what technology you will be using?
• Have you done a dry run in the meeting room?
• Do you know the meeting organizer?

Checklist to build compelling visuals in your presentation

Leverage this checklist to ensure you are creating the perfect visuals and graphs for your presentation.

Checklist:

• Do the visuals grab the audience’s attention?
• Will the visuals mislead the audience/confuse them?
• Do the visuals facilitate data comparison or highlight trends and differences in a more effective manner than words?
• Do the visuals present information simply, cleanly, and accurately?
• Do the visuals display the information/data in a concentrated way?
• Do the visuals illustrate messages and themes from the accompanying text?

3.2 Security communication templates

Once you have identified your communication goals and plans for building your communication document, you can start building your presentation deck. These presentation templates highlight different security topics depending on your communication drivers, goals, and available data. Info-Tech has created five security templates to assist you in building a compelling presentation. These templates provide support for presentations on the following five topics: Security Initiatives Security & Risk Update Security Metrics Security Incident Response & Recovery Security Funding Request Each template provides instructions on how to use it and tips on ensuring the right information is being presented. All the templates are customizable, which enables you to leverage the sections you need while also editing any sections to your liking.

Download the Security Presentation Templates

Security template example

It’s important to know that not all security presentations for an organization are alike. However, these templates would provide a guideline on what the best practices are when communicating security to executive stakeholders.

Below is an example of instructions to complete the “Security Risk & Update” template. Please note that the security template will have instructions to complete each of its sections.

The first slide following the title slide includes a brief executive summary on what would be discussed in the presentation. This includes the main security threats that would be addressed and the associated risk mitigation strategies.	This slide depicts a holistic overview of the organization’s security posture in different areas along with the main business goals that security is aligning with. Ensure visualizations you include align with the goals highlighted.

Security template example (continued)

This slide displays any top threats and risks an organization is facing. Each threat consists of 2-3 risks and is prioritized based on the negative impact it could have on the organization (i.e. red bar = high priority; green bar = low priority). Include risks that have been addressed in the past quarter, and showcase any prioritization changes to those risks.

This slide follows the “Top Threats & Risks” slide and focuses on the risks that had medium or high priority. You will need to work with subject matter experts to identify risk figures (likelihood, financial impact) that will enable you to quantify the risks (Likelihood x Financial Impact). Develop a threshold for each of the three columns to identify which risks require further prioritization, and apply color coding to group the risks.

Security template example (continued)

This slide showcases further details on the top risks along with their business impact. Be sure to include recommendations for the risks and indicate whether further action is required from the executive stakeholders.	The last slide of the “Security Risk & Update” template presents a timeline of when the different initiatives to mitigate security risks would begin. It depicts what initiatives will be completed within each fiscal year and the total number of months required. As there could be many factors to a project’s timeline, ensure you communicate to your executive stakeholders any changes to the project.

Phase 4

Deliver communication

This phase will walk you through the following activities:

• Identifying a strategy to deliver compelling presentations
• Ensuring you follow best practices for communicating and obtaining your security goals

This phase involves the following participants:

• Security leader

4.1 Deliver a captivating presentation

You’ve gathered all your data, you understand what your audience is expecting, and you are clear on the outcomes you require. Now, it’s time to deliver a presentation that both engages and builds confidence.

Follow these tips to assist you in developing an engaging presentation:

• Start strong: Give your audience confidence that this will be a good investment of their time. Establish a clear direction for what’s going to be covered and what the desired outcome is.
• Use your time wisely: Odds are, your audience is busy, and they have many other things on their minds. Be prepared to cover your content in the time allotted and leave sufficient time for discussion and questions.
• Be flexible while presenting: Do not expect that your presentation will follow the path you have laid out. Anticipate jumping around and spending more or less time than you had planned on a given slide.

Keep your audience engaged with these steps

• Be ready with supporting data. Don’t make the mistake of not knowing your content intimately. Be prepared to answer questions on any part of it. Senior executives are experts at finding holes in your data.
• Know your audience. Who are you presenting to? What are their specific expectations? Are there sensitive topics to be avoided? You can’t be too prepared when it comes to understanding your audience.
• Keep it simple. Don’t assume that your audience wants to learn the details of your content. Most just want to understand the bottom line, the impact on them, and how they can help. More is not always better.
• Focus on solving issues. Your audience members have many of their own problems and issues to worry about. If you show them how you can help make their lives easier, you’ll win them over.

Info-Tech Insight
Establishing credibility and trust with executive stakeholders is important to obtaining their support for security objectives.

Be honest and straightforward with your communication

• Be prepared. Being properly prepared means not only that your update will deliver the value that you expect, but also that you will have confidence and the flexibility you require when you’re taken off track.
• Don’t sugarcoat it. These are smart, driven people that you are presenting to. It is neither beneficial nor wise to try to fool them. Be open and transparent about problems and issues. Ask for help.
• No surprises. An executive stakeholder presentation is not the time or the place for a surprise. Issues seen as unexpected or contentious should always be dealt with prior to the meeting with those most impacted.

Hone presentation skills before meeting with the executive stakeholders

Checklist for presentation logistics

Optimize the timing of your presentation:

• Less is more: Long presentations are detrimental to your cause – they lead to your main points being diluted. Keep your presentation short and concise.
• Keep information relevant: Only present information that is important to your audience. This includes the information that they are expecting to see and information that connects to the business.
• Expect delays: Your audience will likely have questions. While it is important to answer each question fully, it will take away from the precious time given to you for your presentation. Expect that you will not get through all the information you have to present.

Script your presentation:

• Use a script to stay on track: Script your presentation before the meeting. A script will help you present your information in a concise and structured manner.
• Develop a second script: Create a script that is about half the length of the first script but still contains the most important points. This will help you prepare for any delays that may arise during the presentation.
• Prepare for questions: Consider questions that may be asked and script clear and concise answers to each.
• Practice, practice, practice: Practice your presentation until you no longer need the script in front of you.

Checklist for presentation logistics (continued)

Other considerations:

• After the introduction of your presentation, clearly state the objective – don’t keep people guessing and consequently lose focus on your message.
• After the presentation is over, document important information that came up. Write it down or you may forget it soon after.
• Rather than create a long presentation deck full of detailed slides that you plan to skip over during the presentation, create a second, compact deck that contains only the slides you plan to present. Send out the longer deck after the presentation.

Checklist for delivering a captivating presentation

Leverage this checklist to ensure you are prepared to develop and deliver an engaging presentation.

Checklist:

• Start with a story or something memorable to break the ice.
• Go in with the end state in mind (focus on the outcome/end goal and work back from there) – What’s your call to action?
• Content must compliment your end goal, filter out any content that doesn’t compliment the end goal.
• Be prepared to have less time to speak. Be prepared with shorter versions of your presentation.
• Include an appendix with supporting data, but don’t be data heavy in your presentation. Integrate the data into a story. The story should be your focus.

Checklist for delivering a captivating presentation (continued)

• Be deliberate in what you want to show your audience.
• Ensure you have clean slides so the audience can focus on what you’re saying.
• Practice delivering your content multiple times alone and in front of team members or your Info-Tech counselor, who can provide feedback.
• How will you handle being derailed? Be prepared with a way to get back on track if you are derailed.
• Ask for feedback.
• Record yourself presenting.

4.2 Obtain and verify support on security goals

Once you’ve delivered your captivating presentation, it’s imperative to communicate with your executive stakeholders.

• This is your opportunity to open the floor for questions and clarify any information that was conveyed to your audience.
• Leverage your appendix and other supporting documents to justify your goals.
• Different approaches to obtaining and verifying your goals could include:
  • Acknowledgment from the audience that information communicated aligns with the business’s goals.
  • Approval of funding requests for security initiatives.
  • Written and verbal support for implementation of security initiatives.
  • Identifying next steps for information to communicate at the next executive stakeholder meeting.

Info-Tech Insight
Verifying your objectives at the end of the presentation is important, as it ensures you have successfully communicated to executive stakeholders.

Checklist for obtaining and verify support on security goals

Follow this checklist to assist you in obtaining and verifying your communication goals.

Checklist:

• Be clear about follow-up and next steps if applicable.
• Present before you present: Meet with your executive stakeholders before the meeting to review and discuss your presentation and other supporting material and ensure you have executive/CEO buy-in.
• “Be humble, but don’t crumble” – demonstrate to the executive stakeholders that you are an expert while admitting you don’t know everything. However, don’t be afraid to provide your POV and defend it if need be. Strike the right balance to ensure the board has confidence in you while building a strong relationship.
• Prioritize a discussion over a formal presentation. Create an environment where they feel like they are part of the solution.

Summary of Accomplishment

Problem Solved

A better understanding of security communication drivers and goals

• Understanding the difference between communication drivers and goals
• Identifying your drivers and goals for security presentation

A developed a plan for how and where to retrieve data for communication

• Insights on what type of data can be leveraged to support your communication goals
• Understanding who you can collaborate with and potential data sources to retrieve data from

A solidified communication plan with security templates to assist in better presenting to your audience

• A guideline on how to prepare security presentations to executive stakeholders
• A list of security templates that can be customized and used for various security presentations

A defined guideline on how to deliver a captivating presentation to achieve your desired objectives

• Clear message on best practices for delivering security presentations to executive stakeholders
• Understanding how to verify your communication goals have been obtained

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

Related Info-Tech Research

Build an Information Security Strategy
This blueprint will walk you through the steps of tailoring best practices to effectively manage information security.

Build a Security Metrics Program to Drive Maturity
This blueprint will assist you in identifying security metrics that can tie to your organizational goals and build those metrics to achieve your desired maturity level.

Bibliography

Bhadauriya, Amit S. “Communicating Cybersecurity Effectively to the Board.” Metricstream. Web.
Booth, Steven, et al. “The Biggest Mistakes Made When Presenting Cyber Security to Senior Leadership or the Board, and How to Fix Them.” Mandiant, May 2019. Web.
Bradford, Nate. “6 Slides Every CISO Should Use in Their Board Presentation.” Security Boulevard, 9 July 2020. Web.
Buckalew, Lauren, et al. “Get the Board on Board: Leading Cybersecurity from the Top Down.” Newsroom, 2 Dec. 2019. Web.
Burg, Dave, et al. “Cybersecurity: How Do You Rise above the Waves of a Perfect Storm?” EY US - Home, EY, 22 July 2021. Web.
Carnegie Endowment for International Peace. Web.
“Chief Information Security Officer Salary.” Salary.com, 2022. Web.
“CISO's Guide to Reporting to the Board - Apex Assembly.” CISO's Guide To Reporting to the Board. Web.
“Cyber Security Oversight in the Boardroom” KPMG, Jan. 2016. Web.
“Cybersecurity CEO: My 3 Tips for Presenting in the Boardroom.” Cybercrime Magazine, 31 Mar. 2020. Web.
Dacri , Bryana. Do's & Don'ts for Security Professionals Presenting to Executives. Feb. 2018. Web.
Froehlich, Andrew. “7 Cybersecurity Metrics for the Board and How to Present Them: TechTarget.” Security, TechTarget, 19 Aug. 2022. Web.
“Global Board Risk Survey.” EY. Web.
“Guidance for CISOs Presenting to the C-Suite.” IANS, June 2021. Web.
“How to Communicate Cybersecurity to the Board of Directors.” Cybersecurity Conferences & News, Seguro Group, 12 Mar. 2020. Web.
Ide, R. William, and Amanda Leech. “A Cybersecurity Guide for Directors” Dentons. Web.
Lindberg, Randy. “3 Tips for Communicating Cybersecurity to the Board.” Cybersecurity Software, Rivial Data Security, 8 Mar. 2022. Web.
McLeod, Scott, et al. “How to Present Cybersecurity to Your Board of Directors.” Cybersecurity & Compliance Simplified, Apptega Inc, 9 Aug. 2021. Web.
Mickle, Jirah. “A Recipe for Success: CISOs Share Top Tips for Successful Board Presentations.” Tenable®, 28 Nov. 2022. Web.
Middlesworth, Jeff. “Top-down: Mitigating Cybersecurity Risks Starts with the Board.” Spiceworks, 13 Sept. 2022. Web.
Mishra, Ruchika. “4 Things Every CISO Must Include in Their Board Presentation.” Security Boulevard, 17 Nov. 2020. Web.
O’Donnell-Welch, Lindsey. “CISOs, Board Members and the Search for Cybersecurity Common Ground.” Decipher, 20 Oct. 2022. Web.

Bibliography

“Overseeing Cyber Risk: The Board's Role.” PwC, Jan. 2022. Web.
Pearlson, Keri, and Nelson Novaes Neto. “7 Pressing Cybersecurity Questions Boards Need to Ask.” Harvard Business Review, 7 Mar. 2022. Web.
“Reporting Cybersecurity Risk to the Board of Directors.” Web.
“Reporting Cybersecurity to Your Board - Steps to Prepare.” Pondurance ,12 July 2022. Web.
Staynings, Richard. “Presenting Cybersecurity to the Board.” Resource Library. Web.
“The Future of Cyber Survey.” Deloitte, 29 Aug. 2022. Web.
“Top Cybersecurity Metrics to Share with Your Board.” Packetlabs, 10 May 2022. Web.
Unni, Ajay. “Reporting Cyber Security to the Board? How to Get It Right.” Cybersecurity Services Company in Australia & NZ, 10 Nov. 2022. Web.
Vogel, Douglas, et al. “Persuasion and the Role of Visual Presentation Support.” Management Information Systems Research Center, 1986.
“Welcome to the Cyber Security Toolkit for Boards.” NCSC. Web.

Research Contributors

• Fred Donatucci, New-Indy Containerboard, VP, Information Technology
• Christian Rasmussen, St John Ambulance, Chief Information Officer
• Stephen Rondeau, ZimVie, SVP, Chief Information Officer

Mitigate the Risk of Cloud Downtime and Data Loss

Resilience and disaster recovery in an increasingly Cloudy and SaaSy world.

Analyst Perspective

Use this blueprint to expand your DRP and BCP to account for cloud services

As more applications are migrated to cloud-based services, disaster recovery (DR) and business continuity plans (BCP) must include an understanding of cloud risks and actions to mitigate those risks. This includes evaluating vendor and service reliability and resilience, security measures, data protection capabilities, and technology and business workarounds if there is a cloud outage or incident.

Use the risk assessments and cloud service incident response plans developed through this blueprint to supplement your DRP and BCP as well as further inform your crisis management plans (e.g. account for cloud risks in your crisis communication planning).

Executive Summary

Info-Tech Insight

Asking vendors about their DRP, BCP, and overall resilience has become commonplace. Expect your vendors to provide answers so you can assess risk. Furthermore, your vendor may have additional offerings to increase resilience or recommendations for third parties who can further assist your goals of improving cloud service resilience.

Key deliverable

Cloud Services Resilience Summary

Provide leadership with a summary of cloud risk, downtime workarounds implemented, and additional data protection.

Additional tools and templates in this blueprint