Network Segmentation

Protect your network by controlling the conversations within it.

Executive Summary

Info-Tech Insight

Executive Summary

Info-Tech Insight

The aim of networking is communication, but unfettered communication can be a liability. Appropriate segmentation in networks, blocking communications where they are not required or desired, restricts lateral movement within the network, allowing for better risk mitigation and management.

Network segmentation

How do you execute on network segmentation?

Identify risks by understanding access across the network

Understand the network space

Info-Tech Insight

The more granular you are in the definition of the network space, the more granular you can be in your segmentation. The unfortunate corollary to this is that the difficulty of managing your end solution grows with the granularity of your segmentation.

Create appropriate policy

Prioritize the potential segmentation

Info-Tech Insight

Be sure to keep this exercise relative so that a clear ranking occurs. If it turns out that everything is a priority, then nothing is a priority. When ranking things relative to others in the exercise, we ensure clear “winners” and “losers.”

Assess risk and prioritize action

1-3 hours

1. Define a list of users and services that define the network space to be addressed. If the lists are too long, use an exercise like affinity diagramming to appropriately group them into a smaller subset.
2. Create a matrix from the lists (put users and services along the rows and columns). In the intersecting points, label how the traffic should be treated (e.g. Permissive, Restricted, Rejected).
3. Examine the matrix and assess the intersections for risk using the lens of impact and likelihood of an adverse event. Label the intersections for risk level with one of green (low impact/likelihood), yellow (medium impact/likelihood), or red (high impact/likelihood).
4. Find commonalities within the medium/high areas and list the users or services as priorities to be addressed.

Design segmentation

Segmentation comes in many flavors; decide which is right for the specific circumstance.

Decide on which methods work for your circumstances

You always have options…

There are multiple lenses to look through when making the decision of what the correct segmentation method might be for any given user group or service. A potential subset could include:

• Effort to deploy
• Cost of the solution
• Skills required to operate
• Granularity of the segmentation
• Adaptability of the solution
• Level of automation in the solution

Info-Tech Insight

Network segmentation within an organization is rarely a one-size-fits-all proposition. Be sure to look at each situation that has been identified to need segmentation and align it with an appropriate solution. The overall number of solutions deployed has to maintain a balance between that appropriateness and the effort to manage multiple environments.

Framework to examine segmentation methods

To assess we need to understand.

To assess when technologies or methodologies are appropriate for a segmentation use case, we need to understand what those options are. We will be examining potential segmentation methods and concepts within the following framework:

WHAT

A description of the segmentation technology, method, or concept.

WHY

Why would this be used over other choices and/or in what circumstances?

HOW

A high-level overview of how this option could or would be deployed.

Notional assessments will be displayed in a sidebar to give an idea of Effort, Cost, Skills, Granularity, Adaptability, and Automation.

Air gap

… And never the twain shall meet.

– Rudyard Kipling, “The Ballad of East and West.”

WHAT

Air gapping is a strategy to protect portions of a network by segmenting those portions and running them on completely separate hardware from the primary network. In an air gap scenario, the segmented network cannot have connectivity to outside networks. This difference makes air gapping a very specific implementation of parallel networks (which are still segmented and run on separate hardware but can be connected through a control point).

WHY

Air gap is a traditional choice when environments need to be very secure. Examples where air gaps exist(ed) are:

• Operational technology (OT) networks
• Military networks
• Critical infrastructure

HOW

Most networks are not overprovisioned to a level that physical segmentation can be done without purchasing new equipment. The major steps required for constructing an air gap include:

• Design segmentation
• Purchase and install new hardware
• Cable to new hardware

Info-Tech Insight

An air gapped network is the ultimate in segmentation and security … as long as the network does not require connectivity. It is unfortunately rare in today’s world that a network will stand on its own without any need for external connectivity.

VLAN

Do what you can, with what you’ve got…

– Theodore Roosevelt

WHAT

Virtual local area networks (VLANs) are a standard feature on today’s firewalls, routers, and manageable switches. This configuration option allows for network traffic to be segmented into separate virtual networks (broadcast domains) on existing hardware. This segmentation is done at layer 2 of the OSI model. All traffic will share the same hardware but be partitioned based on “tags” that the local device applies to the traffic. Because of these tags, traffic is handled separately at layer 2 of the OSI model, but traffic can pass between segments at layer 3 (e.g. IP layer).

WHY

VLANs are commonly used because most existing deployments already have the technology available without extra licensing. VLANs are also potentially used as foundational components in more complex segmentation strategies such as static or dynamic overlays.

HOW

VLANs allow for segmentation of a device at the port level. VLAN strategies are generally on a location level (e.g. most VLAN deployments are local to a site, though the same structure may be used among sites). To deploy VLANs you must:

• Define VLAN segments
• Assign ports appropriately

Info-Tech Insight

VLANs are tried and true segmentation workhorses. The fact that they are already included in modern manageable solutions means that there is very little reason to not have some level of segmentation within a network.

Micro-segmentation

Everyone is against micromanaging, but macro managing means you’re working on the big picture but don’t understand the details.

– Henry Mintzberg

WHAT

Micro-segmentation is used to secure and control network traffic between workloads. This is a foundational technology when implementing zero trust or least-privileged access network designs. Segmentation is done at or directly adjacent to the workload (on the system or its direct network connectivity) through firewall or similar policy controls. The controls are set to only allow the network communication required to execute the workload and is limited to appropriate endpoints. This restrictive design restricts all traffic (including east-west) and reduces the attack surface.

WHY

Micro-segmentation is primarily used:

• In server-to-server communication.
• When lateral movement by bad actors is identified as a concern.

HOW

Micro-segmentation can be deployed at different places within the connectivity depending on the technologies used:

• Workload/server (e.g. server firewall)
• VM network overlay (e.g. VMware NSX)
• Network port (e.g. ACL, firewall, ACI)
• Cloud native (e.g. Azure Firewall)

Info-Tech Insight

Micro-segmentation is necessary in the data center to limit lateral movement. Just be sure to be thorough in defining required communication as this technology works on allowlists, not traditional blocklists.

Static overlay

Adaptability is key.

– Marc Andreessen

WHAT

Static overlays are a form of virtual segmentation that allows multiple network segments to exist on the same device. Most of these solutions will also allow for these segments to expand across multiple devices or sites, creating overlay virtual networks on top of the existing physical networks. The static nature of the solution is because the ports that participate in the overlays are statically assigned and configured. Connectivity between devices and sites is done through encapsulation and may have a dynamic component of the control plane handled through routing protocols.

WHY

Static overlays are commonly deployed when the need is to segment different use cases or areas of the organization consistently across sites while allowing easy access within the segments between sites. This could be representative of segmenting a department like Finance or extending a layer 2 segment across data centers.

HOW

Static overlays are can segment and potentially extend a layer 2 or layer 3 network. These solutions could be executed with technologies such as:

• VXLAN (Virtual eXtensible LAN)
• MPLS (Multi Protocol Label Switching)
• VRF (Virtual Routing & Forwarding)

Info-Tech Insight

Static overlays are commonly deployed by telecommunications providers when building out their service offerings due to the multitenancy requirements of the network.

Dynamic overlay

Never tell people how to do things. Tell them what to do and they will surprise you with their ingenuity.

– George S. Patton

WHAT

A dynamic overlay segmentation solution has the ability to make security or traffic decisions based on policy. Rather than designing and hardcoding the network architecture, the policy is architected and the network makes decisions based on that policy. Differing levels of control exist in this space, but the underlying commonality is that the segmentation would be considered “software defined” (SDN).

WHY

Dynamic overlay solutions provide the most flexibility of the presented solutions. Some use cases such as BYOD or IoT devices may not be easily identified or controlled through static means. As a general rule of thumb, the less static the network is, the more dynamic your segmentation solution must be.

HOW

Policy is generally applied at the network ingress. When applying policy, which policy to be applied can be identified through different methodologies such as:

• Authentication (e.g. 802.1x)
• Device agents
• Device profiling

Info-Tech Insight

Dynamic overlays allow for more flexibility through its policy-based configurations. These solutions can provide the highest value when positioned where we have less control of the points within a network (e.g. BYOD scenarios).

Define how your segments will communicate

No segment is an island…

Network segmentation allows for protection of devices, users, or data through the act of separating the physical or virtual networks they are on. Counter to this protective stance, especially in today’s networks, these devices, users, or data tend to need to interact with each other outside of the neat lines we draw for them. Proper network segmentation has to allow for the transfer of assets between networks in a safe and secure manner.

Info-Tech Insight

The solutions used to facilitate the controlled communication between segments has to consider the friction to the users. If too much friction is introduced, people will try to find a way around the controls, potentially negating the security that is intended with the solution.

Potential access methods

A ship in harbor is safe, but that is not what ships are built for.

– John A. Shedd

Operate and optimize

Security is not static. Monitor and iterate on policies within the environment.

Monitor for efficacy, compliance, and the unknown

Monitor to ensure your intended results and to identify new potential risks.

Monitoring network segments

A combination of passive and active monitoring is required to ensure that:

• The rules that have been deployed are working as expected.
• Appropriate proof of compliance is in place for auditing and insurance purposes.
• Environments are being monitored for unexpected traffic.

Active monitoring goes beyond the traditional gathering of information for alerts and dashboards and moves into the space of synthetic users and anomaly detection. Using these strategies helps to ensure that security is enforced appropriately and responses to issues are timely.

"We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever."

– Dr. Larry Ponemon, Chairman Ponemon Institute, at SecureWorld Boston

Info-Tech Insight

Using solutions like network detection and response (NDR) will allow for monitoring to take advantage of advanced analytical techniques like artificial intelligence (AI) and machine learning (ML). These technologies can help identify anomalies that a human might miss.

Monitoring options

It’s not what you look at that matters, it’s what you see.

– Henry David Thoreau

Gather feedback, assess the situation, and iterate

Take input from operating the environment and use that to optimize the process and the outcome.

Optimize through iteration

Output from monitoring must be fed back into the process of maintaining and optimizing segmentation. Network segmentation should be viewed as an ongoing process as opposed to a singular structured project.

Monitoring can and will highlight where and when the segmentation design is successful and when new traffic flows arise. If these inputs are not fed back through the process, designs will become stagnant and admins or users will attempt to find ways to circumvent solutions for ease of use.

"I think it's very important to have a feedback loop, where you're constantly thinking about what you've done and how you could be doing it better. I think that's the single best piece of advice: constantly think about how you could be doing things better and questioning yourself."

– Elon Musk, qtd. in Mashable, 2012

Info-Tech Insight

The network environment will not stay static; flows will change as often as required for the business to succeed. Take insights from monitoring the environment and integrate them into an iterative process that will maintain relevance and usability in your segmentation.

Bibliography

Andreessen, Marc. “Adaptability is key.” BrainyQuote, n.d.
Barry Schwartz. The Paradox of Choice: Why More Is Less. Harper Perennial, 18 Jan. 2005.
Capers, Zach. “GetApp’s 2022 Data Security Report—Seven Startling Statistics.” GetApp,
19 Sept. 2022.
Cisco Systems, Inc. “Cybersecurity resilience emerges as top priority as 62 percent of companies say security incidents impacted business operations.” PR Newswire, 6 Dec. 2022.
“Dynamic Network Segmentation: A Must-Have for Digital Businesses in the Age of Zero Trust.” Forescout Whitepaper, 2021. Accessed Nov. 2022.
Eaves, Johnothan. “Segmentation Strategy - An ISE Prescriptive Guide.” Cisco Community,
26 Oct. 2020. Accessed Nov. 2022.
Kambic, Dan, and Jason Fricke. “Network Segmentation: Concepts and Practices.” Carnegie Mellon University SEI Blog, 19 Oct. 2020. Accessed Nov. 2022.
Kang, Myong H., et al. “A Network Pump.” IEEE Transactions on Software Engineering, vol. 22 no. 5, May 1996.
Kipling, Rudyard. “The Ballad of East and West.” Ballads and Barrack-Room Ballads, 1892.
Mintzberg, Henry. “Everyone is against micro managing but macro managing means you're working at the big picture but don't know the details.” AZ Quotes, n.d.
Murphy, Greg. “A Reimagined Purdue Model For Industrial Security Is Possible.” Forbes Magazine, 18 Jan. 2022. Accessed Oct. 2022.
Patton, George S. “Never tell people how to do things. Tell them what to do and they will surprise you with their ingenuity.” BrainyQuote, n.d.
Ponemon, Larry. “We discovered in our research […].” SecureWorld Boston, n.d.
Roosevelt, Theodore. “Do what you can, with what you've got, where you are.” Theodore Roosevelt Center, n.d.
Sahoo, Narendra. “How Does Implementing Network Segmentation Benefit Businesses?” Vista Infosec Blog. April 2021. Accessed Nov. 2022.
“Security Outcomes Report Volume 3.” Cisco Secure, Dec 2022.
Shedd, John A. “A ship in harbor is safe, but that is not what ships are built for.” Salt from My Attic, 1928, via Quote Investigator, 9 Dec. 2023.
Singleton, Camille, et al. “X-Force Threat Intelligence Index 2022” IBM, 17 Feb. 2022.
Accessed Nov. 2022.
Stone, Mark. “What is network segmentation? NS best practices, requirements explained.” AT&T Cyber Security, March 2021. Accessed Nov. 2022.
“The State of Breach and Attack Simulation and the Need for Continuous Security Validation: A Study of US and UK Organizations.” Ponemon Institute, Nov. 2020. Accessed Nov. 2022.
Thoreau, Henry David. “It’s not what you look at that matters, it’s what you see.” BrainyQuote, n.d.
Ulanoff, Lance. “Elon Musk: Secrets of a Highly Effective Entrepreneur.” Mashable, 13 April 2012.
“What Is Microsegmenation?” Palo Alto, Accessed Nov. 2022.
“What is Network Segmentation? Introduction to Network Segmentation.” Sunny Valley Networks, n.d.

Build a Data Classification MVP for M365

Kickstart your governance with data classification users will actually use!

Executive Summary

Info-Tech Insight

• Creating an MVP gets you started in data governance
  Information protection and governance are not something you do once and then you are done. It is a constant process where you start with the basics (a minimum-viable product or MVP) and enhance your schema over time. The objective of the MVP is reducing obstacles to establishing an initial governance position, and then enabling rapid development of the solution to address a variety of real risks, including data loss prevention (DLP), data retention, legal holds, and data labeling.
• Define your information and protection strategy
  The initial strategy is to start looking across your organization and identifying your customer data, regulatory data, and sensitive information. To have a successful data protection strategy you will include lifecycle management, risk management, data protection policies, and DLP. All key stakeholders need to be kept in the loop. Ensure you keep track of all available data and conduct a risk analysis early. Remember, data is your highest valued intangible asset.
• Planning and resourcing are central to getting started on MVP
  A governance plan and governance decisions are your initial focus. Create a team of stakeholders that include IT and business leaders (including Legal, Finance, HR, and Risk), and ensure there is a top-level leader who is the champion of the governance objective, which is to ensure your data is safe, secure, and not prone to leakage or theft, and maintain confidentiality where it is warranted.

Executive Summary

Info-Tech Insight

Data classification is the lynchpin to any effective governance of O/M365 and your objective is to navigate through this easily and effectively and build a robust, secure, and viable governance model. Start your journey by identifying what and where your data is and how much data do you have. You need to understand what sensitive data you have and where it is stored before you can protect or govern it. Ensure there is a high-level leader who is the champion of the governance objectives. Data classification fulfills the governance objectives of risk mitigation, governance and compliance, efficiency and optimization, and analytics.

Questions you need to ask

Four key questions to kick off your MVP.

Classification tiers

Build your schema.

Info-Tech Insight

Deciding on how granular you go into data classification will chiefly be governed by what industry you are in and your regulatory obligations – the more highly regulated your industry, the more classification levels you will be mandated to enforce. The more complexity you introduce into your organization, the more operational overhead both in cost and resources you will have to endure and build.

Microsoft MIP Topology

Microsoft Information Protection (MIP), which is Microsoft’s Data Classification Services, is the key to achieving your governance goals. Without an MVP, data classification will be overwhelming; simplifying is the first step in achieving governance.

(Source: Microsoft, “Microsoft Purview compliance portal”)

Info-Tech Insight

Using least-complex sensitivity labels in your classification are your building blocks to compliance and security in your data management schema; they are your foundational steps.

MVP RACI Chart

Data governance is a "takes a whole village" kind of effort.

Clarify who is expected to do what with a RACI chart.

What and where your data resides Data types that require classification.

M365 Workload Containers
Email Attachments	Site Collections, Sites	Sites	Project Databases
Contacts	Teams and Group Site Collections, Sites	Libraries and Lists	Sites
Metadata	Libraries and Lists	Documents Versions	Libraries and Lists
Teams Conversations	Documents Versions	Metadata	Documents Versions
Teams Chats	Metadata	Permissions Internal Sharing External Sharing	Metadata
	Permissions Internal Sharing External Sharing	Files Shared via Teams Chats	Permissions Internal Sharing External Sharing

Info-Tech Insight

Knowing where your data resides will ensure you do not miss any applicable data that needs to be classified. These are examples of the workload containers; you may have others.

Discover and classify on- premises files using AIP

AIP helps you manage sensitive data prior to migrating to Office 365: Use discover mode to identify and report on files containing sensitive data. Use enforce mode to automatically classify, label, and protect files with sensitive data. Can be configured to scan: SMB files SharePoint Server 2016, 2013

Map your network and find over-exposed file shares. Protect files using MIP encryption. Inspect the content in file repositories and discover sensitive information. Classify and label file per MIP policy.

Azure Information Protection scanner helps discover, classify, label, and protect sensitive information in on-premises file servers. You can run the scanner and get immediate insight into risks with on-premises data. Discover mode helps you identify and report on files containing sensitive data (Microsoft Inside Track and CIAOPS, 2022). Enforce mode automatically classifies, labels, and protects files with sensitive data.

Info-Tech Insight

Any asset deployed to the cloud must have approved data classification. Enforcing this policy is a must to control your data.

Understanding governance

Microsoft Information Governance

Retention and backup policy decision

Retention is not backup.

Understand retention policy

What are retention policies used for? Why you need them as part of your MVP?

Do not confuse retention labels and policies with backup.

Remember: “retention [policies are] auto-applied whereas retention label policies are only applied if the content is tagged with the associated retention label” (AvePoint Blog, 2021).

E-discovery tool retention policies are not turned on automatically.

Retention policies are not a backup tool – when you activate this feature you are unable to delete anyone.

“Data retention policy tools enable a business to:

• “Decide proactively whether to retain content, delete content, or retain and then delete the content when needed.
• “Apply a policy to all content or just content meeting certain conditions, such as items with specific keywords or specific types of sensitive information.
• “Apply a single policy to the entire organization or specific locations or users.
• “Maintain discoverability of content for lawyers and auditors, while protecting it from change or access by other users. […] ‘Retention Policies’ are different than ‘Retention Label Policies’ – they do the same thing – but a retention policy is auto-applied, whereas retention label policies are only applied if the content is tagged with the associated retention label.

“It is also important to remember that ‘Retention Label Policies’ do not move a copy of the content to the ‘Preservation Holds’ folder until the content under policy is changed next.” (Source: AvePoint Blog, 2021)

Definitions

Data classification is a focused term used in the fields of cybersecurity and information governance to describe the process of identifying, categorizing, and protecting content according to its sensitivity or impact level. In its most basic form, data classification is a means of protecting your data from unauthorized disclosure, alteration, or destruction based on how sensitive or impactful it is.

Once data is classified, you can then create policies; sensitive data types, trainable classifiers, and sensitivity labels function as inputs to policies. Policies define behaviors, like if there will be a default label, if labeling is mandatory, what locations the label will be applied to, and under what conditions. A policy is created when you configure Microsoft 365 to publish or automatically apply sensitive information types, trainable classifiers, or labels.

Sensitivity label policies show one or more labels to Office apps (like Outlook and Word), SharePoint sites, and Office 365 groups. Once published, users can apply the labels to protect their content.

Data loss prevention (DLP) policies help identify and protect your organization's sensitive info (Microsoft Docs, April 2022). For example, you can set up policies to help make sure information in email and documents is not shared with the wrong people. DLP policies can use sensitive information types and retention labels to identify content containing information that might need protection.

Retention policies and retention label policies help you keep what you want and get rid of what you do not. They also play a significant role in records management.

Data examples for MVP classification

• Examples of the type of data you consider to be Confidential, Internal, or Public.
• This will help you determine what to classify and where it is.

New container sensitivity labels (MIP)

New container sensitivity labels

What users will see when they create or label a Team/Group/Site

(Source: Microsoft, “Microsoft Purview compliance portal”)

Info-Tech Insights

• Manage privacy of Teams Sites and M365 Groups
• Manage external user access to SPO sites and teams
• Manage external sharing from SPO sites
• Manage access from unmanaged devices

Data protection and security baselines

Info-Tech Insights

• Controls are already in place to set data protection policy. This assists in the MVP activities.
• Finally, you need to set your security baseline to ensure proper permissions are in place.

Prerequisite baseline

Security MFA or SSO to access from anywhere, any device Banned password list BYOD sync with corporate network

Users Sign out inactive users automatically Enable guest users External sharing Block client forwarding rules

Resources Account lockout threshold OneDrive SharePoint

Controls Sensitivity labels, retention labels and policies, DLP Mobile application management policy

Building baselines

Sensitivity Profiles: Public, Internal, Confidential; Subcategory: Highly Confidential

Microsoft 365 Collaboration Protection Profiles

Please Note: Global/Compliance Admins go to the 365 Groups platform, the compliance center (Purview), and Teams services (Source: Microsoft Documentation, “Microsoft Purview compliance documentation”)

Info-Tech Insights

• Building baseline profiles will be a part of your MVP. You will understand what type of information you are addressing and label it accordingly.
• Sensitivity labels are a way to classify your organization's data in a way that specifies how sensitive the data is. This helps you decrease risks in sharing information that shouldn't be accessible to anyone outside your organization or department. Applying sensitivity labels allows you to protect all your data easily.

MVP activities

ACME Company MVP for M/O365

Related Blueprints

Govern Office 365

Office 365 is as difficult to wrangle as it is valuable. Leverage best practices to produce governance outcomes aligned with your goals.

Map your organizational goals to the administration features available in the Office 365 console. Your governance should reflect your requirements.

Migrate to Office 365 Now

Jumping into an Office 365 migration project without careful thought of the risks of a cloud migration will lead to project halt and interruption. Intentionally plan in order to expose risk and to develop project foresight for a smooth migration.

Microsoft Teams Cookbook

IT Governance, Risk & Compliance

Several blueprints are available on a broader topic of governance, from Make Your IT Governance Adaptable to Improve IT Governance to Drive Business Results and Build an IT Risk Management Program.

Bibliography

“Best practices for sharing files and folders with unauthenticated users.” Microsoft Build, 28 April 2022. Accessed 2 April 2022.

“Build and manage assessments in Compliance Manager.” Microsoft Docs, 15 June 2022. Web.

“Building a modern workplace with Microsoft 365.” Microsoft Inside Track, n.d. Web.

Crane, Robert. “June 2020 Microsoft 365 Need to Know Webinar.” CIAOPS, SlideShare, 26 June 2020. Web.

“Data Classification: Overview, Types, and Examples.” Simplilearn, 27 Dec. 2021. Accessed 11 April 2022.

“Data loss prevention in Exchange Online.” Microsoft Docs, 19 April 2022. Web.

Davies, Nahla. “5 Common Data Governance Challenges (and How to Overcome Them).” Dataversity. 25 October 2021. Accessed 5 April 2022.

“Default labels and policies to protect your data.” Microsoft Build, April 2022. Accessed 3 April 2022.

M., Peter. "Guide: The difference between Microsoft Backup and Retention." AvePoint Blog, 9 Oct. 2021. Accessed 4 April 2022.

Meyer, Guillaume. “Sensitivity Labels: What They Are, Why You Need Them, and How to Apply Them.” nBold, 6 October 2021. Accessed 2 April 2022.

“Microsoft 365 guidance for security & compliance.” Microsoft, 27 April 2022. Accessed 28 April 2022.

“Microsoft Purview compliance portal.” Microsoft, 19 April 2022. Accessed 22 April 2022.

“Microsoft Purview compliance documentation.” Microsoft, n.d. Accessed 22 April 2022.

“Microsoft Trust Center: Products and services that run on trust.” Microsoft, 2022. Accessed 3 April 2022.

“Protect your sensitive data with Microsoft Purview.” Microsoft Build, April 2022. Accessed 3 April 2022.

Zimmergren, Tobias. “4 steps to successful cloud governance in Office 365.” Rencore, 9 Sept. 2021. Accessed 5 April 2022.

Integrate IT Risk Into Enterprise Risk

Don’t fear IT risks, integrate them.

EXECUTIVE BRIEF

Analyst Perspective

Having siloed risks is risky business for any enterprise.

Valence Howden Principal Research Director, CIO Practice

Petar Hristov Research Director, Security, Privacy, Risk & Compliance

Ian Mulholland Research Director, Security, Risk & Compliance

Brittany Lutes Senior Research Analyst, CIO Practice

Ibrahim Abdel-Kader Research Analyst, CIO Practice

Every organization has a threshold for risk that should not be exceeded, whether that threshold is defined or not.

In the age of digital, information and technology will undoubtedly continue to expand beyond the confines of the IT department. As such, different areas of the organization cannot address these risks in silos. A siloed approach will produce different ways of identifying, assessing, responding to, and reporting on risk events. Integrated risk management is about embedding IT uncertainty to inform good decision making across the organization.

When risk is integrated into the organization's enterprise risk management program, it enables a single view of all risks and the potential impact of each risk event. More importantly, it provides a consistent view of the risk event in relation to uncertainty that might have once been seemingly unrelated to IT.

And all this can be achieved while remaining within the enterprise’s clearly defined risk appetite.

Executive Summary

Your Challenge

Most organizations fail to integrate IT risks into enterprise risks:

• IT risks, when considered, are identified and classified separately from the enterprise-wide perspective.
• IT is expected to own risks over which they have no authority or oversight.
• Poor behaviors, such as only considering IT risks when conducting compliance or project due diligence, have been normalized.

Common Obstacles

IT leaders have to overcome these obstacles when it comes to integrating risk:

• Making business leaders aware of, involved in, and able to respond to all enterprise risks.
• A lack of data or information being used to support a holistic risk management process.
• A low level of enterprise risk maturity.
• A lack of risk management capabilities.

Info-Tech’s Approach

By leveraging the Info-Tech Integrated Risk approach, your business can better address and embed risk by:

• Understanding gaps in the organization’s current approach to risk management practices.
• Establishing a standardized approach for how IT risks impact the enterprise as a whole.
• Driving a risk-aware organization toward innovation and considering alternative options for how to move forward.
• Helping integrate IT risks into the foundational risk practice.

Info-Tech Insight

Stop avoiding risk – integrate it. This provides a holistic view of uncertainty for the organization to drive innovative new approaches to optimize its ability to respond to risk.

What is integrated risk management?

• Integrated risk management is the process of ensuring all forms of risk information, including information and technology, are considered and included in the enterprise’s risk management strategy.
• It removes the siloed approach to classifying risks related to specific departments or areas of the organization, recognizing that each of those risks is a threat to the overarching enterprise.
• Aggregating the different threats or uncertainty that might exist within an organization allows for informed decisions to be made that align to strategic goals and continue to drive value back to the business.
• By holistically considering the different risks, the organization can make informed decisions on the best course of action that will reduce any negative impacts associated with the uncertainty and increase the overall value.

Enterprise Risk Management (ERM)

• IT
• Security
• Digital
• Vendor/Third Party
• Other

Enterprise risk management is the practice of identifying and addressing risks to your organization and using risk information to drive better decisions and better opportunities.

IT risk is enterprise risk

IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk.

Your challenge

Embedding IT risks into the enterprise risk management program is challenging because:

• Most organizations classify risks based on the departments or areas of the business where the uncertainty is likely to happen.
• Unnecessary expectations are placed on the IT department to own risks over which they have no authority or oversight.
• Risks are often only identified when conducting due diligence for a project or ensuring compliance with regulations and standards.

Risk-mature organizations have a unique benefit in that they often have established an overarching governance framework and embedded risk awareness into the culture.

35% — Only 35% of organizations had embraced ERM in 2020. (Source: AICPA and NC State Poole College of Management)

12% — Only 12% of organizations are leveraging risk as a tool to their strategic advantage. (Source: AICPA and NC State Poole College of Management)

Common obstacles

These barriers make integrating IT risks difficult to address for many organizations:

• IT risks are not seen as enterprise risks.
• The organization’s culture toward risk is not defined.
• The organization’s appetite and threshold for risk are not defined.
• Each area of the organization has a different method of identifying, assessing, and responding to risk events.
• Access to reliable and informative data to support risk management is difficult to obtain.
• Leadership does not see the business value of integrating risk into a single management program.
• The organization’s attitudes and behaviors toward risk contradict the desired and defined risk culture.
• Skills, training, and resources to support risk management are lacking, let alone those to support integrated risk management.

Integrating risks has its challenges

62% — Accessing and disseminating information is the main challenge for 62% of organizations maturing their organizational risk management. (Source: OECD)

20-28% — Organizations with access to machine learning and analytics to address future risk events have 20 to 28% more satisfaction. (Source: Accenture)

Integrate Risk and Use It to Your Advantage

Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.

Risk management is more than checking an audit box or demonstrating project due diligence.

Risk Drivers Audit & compliance Preserve value & avoid loss Previous risk impact driver Major transformation Strategic opportunities		Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021)	63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021)	Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020)	55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021)
		1. Assess Enterprise Risk Maturity	3. Build a Risk Management Program Plan	4. Establish Risk Management Processes	5. Implement a Risk Management Program
		2. Determine Authority with Governance Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020)
IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability. Governance and related decision making is optimized with integrated and aligned risk data.			ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types. The program plan is meant to consider all the major risk types in a unified approach.		Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action.

Integrated Risk Mapping — Downside Risk Focus

Integrated Risk Mapping — Downside and Upside Risk

Third-Party Risk Example

Insight Summary

Overarching insight

Stop fearing risk – integrate it. Integration leads to opportunities for organizations to embrace innovation and new digital technologies as well as reducing operational costs and simplifying reporting.

Govern risk strategically

Governance of risk management for information- and technology-related events is often misplaced. Just because it's classified as an IT risk does not mean it shouldn’t be owned by the board or business executive.

Assess risk maturity

Integrating risk requires a baseline of risk maturity at the enterprise level. IT can push integrating risks, but only if the enterprise is willing to adopt the attitudes and behaviors that will drive the integrated risk approach.

Manage risk

It is not a strategic decision to have different areas of the organization manage the risks perceived to be in their department. It’s the easy choice, but not the strategic one.

Implement risk management

Different areas of an enterprise apply risk management processes differently. Determining a single method for identification, assessment, response, and monitoring can ensure successful implementation of enterprise risk management.

Tactical insight

Good risk management will consider both the positives and negatives associated with a risk management program by recognizing both the upside and downside of risk event impact and likelihood.

Integrated risk benefits

Measure the value of integrating risk

• Reduce Operating Costs

  • Organizations can reduce their risk operating costs by 20 to 30% by adopting enterprise-wide digital risk initiatives (McKinsey & Company).

• Increase Cybersecurity Threat Preparedness

  • Increase the organization’s preparedness for cybersecurity threats. 79% of organizations that were impacted by email threats in 2020 were not prepared for the hit (Diligent)

• Increase Risk Management’s Impact to Drive Strategic Value

  • Currently, only 3% of organizations are extensively using risk management to drive their unique competitive advantage, compared to 35% of companies who do not use it at all (AICPA & NC State Poole College of Management).

• Reduce Lost Productivity for the Enterprise

  • Among small businesses, 76% are still not considering purchasing cyberinsurance in 2021, despite the fact that ransomware attacks alone cost Canadian businesses $5.1 billion in productivity in 2020 (Insurance Bureau of Canada, 2021).

“31% of CIO’s expected their role to expand and include risk management responsibilities.” (IDG “2021 State of the CIO,” 2021)

Make integrated risk management sustainable

Assessment

Assess your organization’s method of addressing risk management to determine if integrated risk is possible

Assessing the organization’s risk maturity

Mature or not, integrated risk management should be a consideration for all organizations The first step to integrating risk management within the enterprise is to understand the organization’s readiness to adopt practices that will enable it to successfully integrate information. In 2021, we saw enterprise risk management assessments become one of the most common trends, particularly as a method by which the organization can consolidate the potential impacts of uncertainties or threats (Lawton, 2021). A major driver for this initiative was the recognition that information and technology not only have enterprise-wide impacts on the organization’s risk management but that IT has a critical role in supporting processes that enable effective access to data/information. A maturity assessment has several benefits for an organization: It ensures there is alignment throughout the organization on why integrated risk is the right approach to take, it recognizes the organization’s current risk maturity, and it supports the organization in defining where it would like to go.

Maturity should inform your approach to risk management

The outcome of the risk maturity assessment should inform how risk management is approached within the organization.

For organizations with a low maturity, remaining superficial with risk will offer more benefits and align to the enterprise’s risk tolerance and appetite. This might mean no integrated risk is taking place.

However, organizations that have higher risk maturity should begin to integrate risk information. These organizations can identify the nuances that would affect the severity and impact of risk events.

Integrated Risk Maturity Assessment

The purpose of the Integrated Risk Maturity Assessment is to assess the organization's current maturity and readiness for integrated risk management (IRM).

Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program can be adopted by your organization.

Integrated Risk Maturity Assessment A simple tool to understand if your organization is ready to embrace integrated risk management by measuring maturity across four key categories: Context & Strategic Direction, Risk Culture & Authority, Risk Management Process, and Risk Program Optimization

Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organization.

Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.

Drive Innovation With an Exponential IT Mindset

Are you ready to drive the adoption of autonomous business capabilities?

Analyst Perspective

IT must develop new capabilities to drive emerging tech adoption

Traditionally, CIOs have struggled to gain the trust of the executive leadership team and be recognized as business leaders rather than just technical leaders. In fact, based on a 2023 study by Info-Tech Research Group, only 36% of CIOs report directly to the CEO with most of the remainder reporting through either the CFO or COO.

Exponential IT requires that CIOs gain a seat at the table and build the capabilities necessary to not only lead the transformation of their business but also drive the innovation that will lead to enterprise adoption of emerging technologies. CIOs will be required to gain a detailed understanding of their business and in-depth knowledge of emerging technologies so that they can match business opportunities with technology capabilities, while managing risk and change.

This research will help CIOs identify the capabilities they need to transform the business, and better understand where they must mature their capabilities to drive Exponential IT.

Kim Osborne Rodriguez
Research Director, CIO Advisory
Info-Tech Research Group

Executive Summary

[1] Info-Tech CXO-CIO diagnostic benchmark data, 2022, n=76

Info-Tech Insight

IT must lead the innovation capabilities that will drive the adoption of emerging technology across the enterprise. In an exponential world, IT needs to adopt business value targets and become a value creator rather than limit itself to IT service targets and remain a cost center in the organization.

Drive innovation with an Exponential IT mindset

Your ability to capture enterprise value from autonomization relies on your innovation capabilities and potential. Is your IT team ready to drive the adoption of AI-driven business processes? Assess your innovation readiness in five key areas supporting Exponential IT.

IT must rapidly mature

If IT leaders cannot lead the transformation, then the business will move forward without them.

Only 3% of CXOs report that their IT department can transform the business. Most IT organizations (81%) still struggle to adequately support the business.

Common obstacles

Leverage Exponential IT to drive value from the adoption of emerging tech

The most common obstacles to innovation are cultural, including politics, lack of alignment on goals, misaligned culture, and an inability to act on indicators of change.[1]

CIOs struggle to get a seat at the table and influence change. Info-Tech research shows that only 36% of CIOs report directly to the CEO, with over a third reporting to another C-suite leader such as a COO or CFO.[2]

[1] Harvard Business Review, 2018
[2] Info-Tech Research Group CIO Time Study, 2023

Info-Tech Insight

To drive change, CIOs need to gain the trust of their senior leadership team. Getting a seat at the table should be the first step for any CIO looking to transform their business.

Many CIOs struggle to be seen as business leaders

Executive Brief: Case Study

• INDUSTRY: Financial Services
• SOURCE: Borealis AI

Borealis AI drives AI-powered transformation at Royal Bank of Canada

Borealis AI is a research center backed by RBC Royal Bank, tasked with researching, designing, and building AI products and tools which transform the financial services industry. It gathers researchers with backgrounds in artificial intelligence (AI), computer vision, natural language processing (NLP), computer science, computational finance, mathematics, and machine learning (ML) to create solutions in areas including asynchronous temporal models, non-cooperative learning in competing markets, and causal machine learning from observational data.

Results

Borealis AI has created many innovative products for RBC, including:

• NOMI Forecast: an award-winning personal financial management tool
• Turing by Borealis AI: a text-to-SQL database interface using NLP
• Aiden: an AI-powered electronic trading tool using reinforcement learning

In 2023, Borealis AI won the Best Use of AI for Customer Experience award from The Digital Banker, for the NOMI Forecast app, which has been downloaded by nearly a million RBC clients since launching in 2021.

"NOMI Forecast is a cutting-edge AI solution that uses deep learning to offer timely and accurate predictions of our clients' cashflow. Powered by our unique datasets, these AI models have been trained to deliver personalized experiences for RBC clients,"
— Foteini Agrafioti, Chief Science Officer at RBC and Head of Borealis AI

IT needs to connect emerging technology with business opportunities

Emerging tech is driving business change

Innovation is critical for business success, but succeeding is more difficult than ever

Emerging tech brings new challenges for organizations looking to create a competitive advantage. Access to sophisticated tools with minimal upfront costs have lowered the barriers to entry and democratized innovation, particularly among smaller players. The explosion of data processing & collaboration tools has allowed more focused and data-driven innovation efforts through analysis and insights, increasing the competitive advantage for those who get it right.

This has led to an accelerated pace of change as autonomous business processes start driving their own market shifts. The rise of autonomous business processes creates exponential reward, but also exponential risk for early adopters.

Innovation is increasingly critical for competitive growth

IT innovation leadership explains 75% of the variation in satisfaction with IT (Source: Info-Tech Research Group survey, n=305) and is the fourth-highest priority for IT end users.

A 7-year review by McKinsey (2020) showed that the most innovative companies[1] outperformed the market by upwards of 30%.

A 25-year study by Business Development Canada & Statistics Canada showed that innovation was more important to business success than management, human resources, marketing, or finance.

[1]Top innovators are defined as companies which were listed on Fast Company World's 50 Most Innovative Companies for 2+ years.

Adapt your approach to innovation

Both traditional and exponential (AI-driven) innovation is important for business success

Measure the value of this blueprint

Transformation efforts fail over 75% of the time[1] resulting in millions of dollars of lost revenue[2]

Our research indicates that most organizations would take months to prepare this type of assessment without our resources. That's nearly 70 work hours spent researching and gathering data to support due diligence, for a total cost of thousands of dollars. Improve your success rate by understanding what's needed to successfully drive innovation.

[1] Lombard, 2022
[2] FutureCIO, 2022

Establish a baseline

Gauge the effectiveness of this research by completing the following table before and after using this blueprint:

How to use this research

Five tips to get the most out of your readiness assessment

1. Each category consists of five competencies, with a maximum of five points each. The maximum score on this assessment is 100 points.
2. Effectiveness levels range from basic (Level 1) to advanced (Level 5). Level 1 is generally considered the baseline for most effectively operating organizations. If your organization is struggling with Level 1 competencies, focus on those before pursuing higher maturity areas.
3. This assessment is qualitative. Complete the assessment to the best of your ability, based on the scoring rubric provided. If you fall between levels, use the lower one in your assessment.
4. The scoring rubric may not perfectly fit the processes and practices within every organization. Consider the spirit of the description and score accordingly.
5. Other industry- and region-specific competencies may be required to succeed at exponential innovation. The competencies in this assessment are a starting point, and internal validation and assessments should be conducted to uncover additional competencies and skills.

Assess your innovation readiness:

1. Organizational Excellence

• Innovation mandate
• Transformational leadership
• Culture of innovation
• Vision & strategy

Organizational excellence sets the stage for innovation.

"Innovation distinguishes between a leader and a follower." – Steve Jobs, Apple Founder

Without strong leadership, innovation efforts are almost certain to fail. Innovation requires buy-in and support, a leader who walks the talk, culture which supports risk taking and allows failure, and a clear and compelling vision. Without these elements in place, transformation efforts are a fifteen times more likely to fail [1] – and waste time and money along the way.

[1] Lombard, 2022.

Focus on innovation to deliver business value

Satisfaction drives IT value, and innovation leadership drives satisfaction with IT

Strong leadership is critical to the success of innovation. A global survey of 600 business leaders pointed to leadership as the best predictor of innovation success[1] and showed a strong correlation between leadership ability and innovation capabilities.

Innovation leadership starts with a mandate from the senior leadership team and requires a clearly articulated vision and strategy to deliver the intended benefits to the organization. A survey of 270 business leaders showed that over a third of them struggled with articulating the right strategy or vision, hindering their efforts to innovate.[2]

45% of business leaders report that cultural issues stifle their innovation efforts, and 55% report unhealthy politics which cause infighting that negatively affects their organization.[2]

[1] McKinsey, 2008
[2] Harvard Business Review, 2018

The importance of leadership

75% of high IT satisfaction scores are associated with a strong ability to lead innovation.
Source: Info-Tech Research Group survey, n=305

Struggling to get a seat at the table?

It can be challenging to drive innovation efforts without trust and buy-in from senior leadership. Start with small initiatives and build your reputation by consistently delivering on your commitments.

Leadership starts with a mandate

Build your innovation leadership with the following capabilities:

Innovation mandate: There is strong support and trust from the senior leadership team, which gives IT leaders the opportunity to lead innovation despite any temporary failure. IT leaders are well-informed about and have input into business decisions.

Transformational leadership: IT leaders are influential change agents, not only within their organization but across their industry or community. They inspire others and actively collaborate with external partners, driving change beyond their organization.

Culture of innovation: Innovative cultures generally demonstrate ten behaviors that are most closely correlated with innovation success: growth mindset, learning-focused, psychological safety, curiosity, trust, willingness to fail, collaboration, diverse perspectives, autonomy, and appropriate risk-taking. These behaviors are embedded in the organization and strongly demonstrated in daily work.

Vision & strategy: The innovation vision and strategy are continuously refined and adapted to changing market and emerging technology trends. Emerging technology innovation is second nature in the organization, and it becomes a leader in driving change across the industry.

Additional resources for Organizational Excellence

Assess your innovation readiness:

2. Insights & Intelligence

• Business context
• Strategic foresight
• Emerging tech expertise
• Strategic alignment

The foundation of innovation is data.

"Without data you're just another person with an opinion." – Edwards Deming, Statistician

Having comprehensive and accurate data about the problems you hope to solve is critical to realizing the benefits of innovation. Build your understanding of the business and ability to predict how trends will impact your industry, then stay on top of emerging tech and align solutions with strategic business capabilities.

Act on strategic indicators

Build the ability to go from data to intelligence to insights

Info-Tech data shows that businesses are 93% more likely to be satisfied with IT when their IT teams have a better understanding of the business. Teams need to understand who your organization serves, how it delivers value, and what its goals are.

When seeking to capitalize on emerging technology opportunities, businesses face an execution challenge. 82% of business leaders report being able to identify leading indicators of change, but less than two thirds of them are confident in their ability to act on those indicators.[1]

A report by Leadership IQ noted that only 29% of the 21,008 employees surveyed considered their leader's vision consistently well aligned with the organizational vision.[2] Strategic alignment is not just important from a results perspective. It impacts employee motivation: employees with strong leadership alignment are 24% more likely to give their best at work.[2]

[1] Harvard Business Review, 2018
[2] Leadership IQ, 2020

Strategic Foresight Challenges

82% of business leaders say they can correctly identify leading indicators of change…

…however, only 58% feel confident in their abilities to act on these indicators.

Source: Harvard Business Review, 2018

You must understand the business

Develop key insights and intelligence with the following capabilities:

Business context: IT actively participates in the business as a value creator and innovator, proactively disrupting the business and driving the adoption of emerging tech that drives exponential value.

Strategic foresight: IT not only embraces emerging technologies, but actively drives innovation and disruption through their adoption. IT is adept at using trends to drive exploration and can quickly execute on initiatives.

Emerging tech expertise: There is an expert-level understanding of emerging technologies including their capabilities, limitations, risks, trends, and potential use cases. IT proactively drives the adoption of emerging technology.

Strategic alignment: IT proactively uses the business strategy to drive adoption of emerging technology and identify new opportunities. Each initiative has clear metrics and targets which directly impact business targets.

Additional resources for Intelligence & Insights

Assess your innovation readiness:

3. Agile Ideation

• Data-driven decision making
• Ability to identify opportunities
• Business engagement
• Risk management

IT must use data to drive the ideation process, engaging the business to identify opportunities – all while managing risk.

"Innovation is key. Only those who have the agility to change with the market and innovate quickly will survive."- Robert Kiyosaki, Entrepreneur & Author

Many Agile concepts are used in the process of innovation, regardless of whether the formal Agile methodology is used. Fast iterations ("fail fast"), lessons learned, and risk management are equally important for ideation as they are for execution. This category evaluates IT's ability to drive the ideation process at the enterprise level.

Use data to drive agility

Effectively using data has a threefold impact in the quality of decisions

Agility is critical for innovation, particularly when adopting emerging technology. AI and other emerging technologies are accelerating the pace of change and driving a necessary increase in how quickly organizations must adapt.

Data is also critical when building a case for change. A survey of over 1,000 senior business leaders showed that organizations that effectively use data to drive decision making are three times more likely to report significant improvements in the quality of their decisions.[1]

[1] Harvard Business School Online, 2019

Start with the business

The business must be involved in ideation. Develop the skills needed to engage the business and identify challenges and opportunities.

Engage the business to deliver value

Build your proficiency in the following ideation capabilities:

Data-driven decision making: Data is proactively collected from multiple internal and external sources to inform innovation strategies. Continuous monitoring of innovation provides a strong rationale for outcomes and benefits. Data governance, quality, and privacy measures are in place to ensure data quality.

Ability to identify opportunities: IT actively shapes the future of the organization and the industry by proactively identifying business opportunities for emerging technology and leading the way in their adoption. Experiments and pilots are often industry firsts.

Business engagement: IT enables the business by engaging at all levels to identify and refine emerging technology opportunities. They effectively communicate benefits and risks in business terms, while understanding business needs and challenges. IT collaborates with the business to establish innovation centers or communities of practice.

Risk management: There is a proactive and holistic approach to risk management, considering both opportunities and threats associated with emerging technology adoption. IT and the business continually anticipate and monitor emerging risks, evaluate the effectiveness of risk management practices, and adapt them to evolving technology landscapes.

Additional resources for Agile Ideation

Assess your innovation readiness:

4. Team Capabilities

• Resourcing & investment
• Talent & skills
• Change management
• Partnerships & ecosystem

Ensure you have the right resources and skills needed to drive innovation.

"The best way to predict the future is to invent it." – Alan Kay, Computer Scientist

Resourcing and skills are critical building blocks for driving innovation, and without a strong understanding of emerging technology and the processes needed to adopt it, organizations will falter at driving change.

Develop the right resourcing, skills, change management, and partnerships to drive Exponential IT.

Develop key skills

Scaled Agile (SAFe): Scaled Agile is a framework for implementing Agile and lean methodologies at the enterprise level or outside of a single team.

Development operations (DevOps): A methodology for software development which includes practices and tools that support the development lifecycle.

Data operations (DataOps): A set of tools and processes that support data management within an organization. Typically used when training AI on a specialized data set.

Analytics: The systematic analysis of information used to discover, interpret, and communicate insights gleaned from patterns in data. Analytics typically generate insights that support data-driven decision making.

Machine learning operations (MLOps): Tools and processes that support the development of machine learning (ML) models, including AI and large language models (LLM). Can include expertise in computer science, natural language processing (NLP), computer vision, computational algorithms, mathematics, and ML expertise.

Artificial intelligence operations (AIOps): Leveraging AI to develop autonomous business processes at the enterprise level.

Mature your emerging technology capabilities

Agile: Build the methodologies to drive execution
DevOps: Drive the software development lifecycle
DataOps: Effectively manage data
Analytics: Develop insights from data
MLOps: Develop machine learning tools
AIOps: Build autonomous business processes

Manage the building blocks of innovation

Resourcing & investment: IT manages a well-defined and substantial budget dedicated to innovation, which is integrated into the overall strategic planning and decision-making processes. Investments are made in a holistic and forward-looking manner, considering the long-term implications and potential disruption caused by emerging technologies.

Talent & skills: Teams exhibit thought leadership and innovate within emerging technologies, including advanced machine learning engineering, MLOps, DataOps, and analytics. Employees actively contribute to the advancement of these technologies, engage in research and development, and explore new applications and use cases.

Change management: This is a core competency led by change champions and change management professionals. There is a strategic approach to driving and sustaining change, focusing on long-term adoption and continuous improvement. Change management is embedded in the organizational culture, and there is a proactive effort to foster change agility and build change capability at all levels.

Partnerships & ecosystems: IT builds an orchestrated innovation ecosystem for the adoption of emerging technology. They take a proactive role in orchestrating collaboration among ecosystem partners. The organization acts as a catalyst for innovation, bringing together diverse partners to address complex challenges and drive transformative solutions.

Additional resources for Team Capabilities

Assess your innovation readiness:

5. Innovation Execution

• Governance
• Embedded security
• Infrastructure
• Ability to execute

Can you deliver results? Develop the capability to execute on innovative ideas.

"What good is an idea if it remains an idea? Try. Experiment. Fail. Try again. Change the world." – Simon Sinek, Author, Motivational Speaker

The foundational elements of innovation significantly overlap with the activities you must do to excel at core IT operations. Build your ability to execute quickly on innovative ideas and build the trust of the enterprise.

Rapidly execute on innovative ideas

IT must be able to successfully manage the foundational capabilities of innovation

The foundational capabilities of innovation are central to many core IT processes: governance, security, supporting infrastructure, and the ability to execute on ideas are all critical to running an effective IT shop.

IT governance is a critical and embedded practice ensuring information and technology investments, risks, and resources are aligned in the organization's best interests while producing business value. Effective governance ensures that the right technology investments are made at the right time to support and enable your organization's mission, vision, and goals.

Build foundational capabilities

The ability to rapidly execute on ideas is fundamental not only to innovation but also running an effective IT organization.

Develop foundational IT capabilities

The ability to execute is based on key foundational capabilities, including:

Governance: Adaptable and automated governance guides effective innovation and supports the adoption of emerging technology. Decision making is flexible and can move quickly to enable the implementation of new technologies. Responsibility and authority are aligned across all levels of the organization.

Embedded security: Security and privacy controls are embedded in the applications and technologies deployed across the enterprise. Security is built into the organizational culture, with a strong focus on promoting security awareness and fostering a security-first mindset.

Infrastructure: IT infrastructure is modern, adaptive, and future-proof. Infrastructure should support a range of emerging technology applications, including the flexibility to adapt to future use cases. There is a focus on agility, scalability, flexibility, and interoperability.

Ability to execute: The IT team drives rapid innovation across the organization and can reliably execute and collaborate with internal and external partners. They are pivotal in driving innovation initiatives that align with the organization's strategic objectives. Agile methodologies and practices are embedded in the culture of the team.

Additional resources for Innovation Execution

Activity 1: Assess your readiness for exponential innovation

Input: Core competencies; Knowledge of internal processes and capabilities
Output: Readiness assessment
Materials: Exponential Innovation Assessment Tool; Whiteboard/Flip charts
Participants: Executive leadership team, including CIO; Other internal stakeholders of vendor partnerships

1-3 hours

1. Gather key stakeholders from across your organization to participate in the readiness assessment exercise.
2. As a group, review the core competencies from the following five sections and determine where your organization's effectiveness lies for each competency. Record your responses in the Exponential Innovation Assessment Tool.

Download the Exponential Innovation Assessment Tool

Interpret your results

Understand your readiness and determine the next steps to operationalize exponential innovation.

Once you have completed the readiness assessment, use Info-Tech's maturity ladder to identify next steps and recommendations.

It is usually very challenging to lead innovation with a total score less than 50. Lower maturity organizations should focus on maturing the foundational aspects of innovation, such as those in the Innovation Execution and Team Capabilities categories, and core IT processes.

For higher maturity organizations (those with total scores 50 or higher), first focus on getting all capabilities to a minimum of Level 3, then work on progressing maturity starting with foundational categories and working upwards:

Determine your readiness

Activity 2: Create an action plan

Input: Readiness assessment
Output: Action plan to improve maturity of capabilities
Materials: Exponential Innovation Assessment Tool; Whiteboard/Flip charts
Participants: Executive leadership team, including CIO; Other internal stakeholders of vendor partnerships

1 hour

1. Gather the stakeholders who participated in the readiness assessment exercise.
2. As a group, review the results of the readiness assessment. Were there any surprises? Do the results reflect your understanding of the organization's maturity?
3. Determine which areas are likely to limit the organization's innovation capability, based on lowest scoring areas and relative importance to the organization.
4. Break out into groups and have each group identify three actions the organization could take to mature the lowest scoring areas.
5. Bring the group back together and prioritize the actions. Note who will be accountable for each next step.
6. Identify additional Info-Tech research that can assist with improving your maturity (see additional resources in this blueprint).

Author

Kim Osborne Rodriguez
Research Director, CIO Advisory
Info-Tech Research Group

Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach, with a track record of supporting successful projects.

Kim holds a Bachelor's degree in Honours Mechatronics Engineering and an option in Management Sciences from University of Waterloo.

Research Contributors and Experts

Jack Hakimian
Senior Vice President
Info-Tech Research Group

Jack has more than 25 years of Technology and Management Consulting experience. He has served multi-billion-dollar organizations in multiple industries including Financial Services and Telecommunications. Jack also served many large public sector institutions.

He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master's degree in Computer Engineering and an MBA from the ESCP-EAP European School of Management.

Mark Tauschek
Vice President, Infrastructure & Operations Research
Info-Tech Research Group

Mark has hands-on network design and deployment experience across verticals including healthcare, education, manufacturing, retail, and entertainment. He has extensive knowledge in the areas of technology research, process development, vendor selection, and project management. He holds specific expertise in wireless networking and mobile technologies.

Mark holds an MBA from the Richard Ivey School of Business at the University of Western Ontario and many professional wireless technology certifications.

Michael Tweedie
Practice Lead, CIO Strategy
Info-Tech Research Group

Mike Tweedie brings over 25 years as a technology executive. He's led several large transformation projects across core infrastructure, application and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management.

Mike holds a Bachelor's degree in Architecture from Ryerson University.

Donna Bales
Principal Research Director
Info-Tech Research Group

Donna Bales is a Principal Research Director in the CIO Practice at Info-Tech Research Group specializing in research and advisory services in IT risk, governance, and compliance. She brings over 25 years of experience in strategic consulting and product development and has a history of success in leading complex, multi-stakeholder industry initiatives.

Donna has a Bachelor's degree in Economics from the University of Western Ontario.

Isabelle Hertanto
Principal Research Director, Security & Privacy
Info-Tech Research Group

Isabelle Hertanto has over 15 years of experience delivering specialized IT services to the security and intelligence community. As a former federal officer for Public Safety Canada, Isabelle trained and led teams on data exploitation and digital surveillance operations in support of Canadian national security investigations. Since transitioning into the private sector, Isabelle has held senior management and consulting roles across a variety of industry sectors, including retail, construction, energy, healthcare, and the broader Canadian public sector.

Aaron Shum
Vice President, Security, Privacy, Risk & Compliance
Info-Tech Research Group

Aaron Shum is a Vice President in the Security & Privacy Research and Advisory Practice at Info-Tech Research Group. With 25+ years of experience across IT, InfoSec, and Data Privacy, he currently specializes in helping organizations implement comprehensive information security and cybersecurity programs and comply with data privacy regulations such as the European Union's General Data Protection Regulation and the California Privacy Rights Act.

Reiaz Somji
Managing Director, Consulting
Info-Tech Research Group

As a client-focused strategist with strong organizational acumen, Reiaz leverages his 20+ years of management consulting experience to help C-suite executives and managers navigate the integration of changing technology with business goals. He is currently a managing director in Info-Tech's consulting division and leads its Infrastructure practice.

Hans Eckman
Principal Research Director, Applications
Info-Tech Research Group

Hans Eckman is a business transformation leader helping organizations connect business strategy and innovation to operational excellence. He supports Info-Tech members in SDLC optimization, Agile and DevOps implementation, CoE/CoP creation, innovation program development, application delivery, and leadership development. Hans is based out of Atlanta, Georgia.

Irina Sedenko
Research Director, Data & Analytics
Info-Tech Research Group

Irina brings more than 20 years of information management experience and demonstrated expertise in big data, advanced analytics, machine learning, and AI. Her experience includes designing and implementing enterprise content management systems, defining data and analytics strategy to support business goals and objectives, creating data governance to enable data initiatives, and providing guidance to the client teams. She led teams through data lake implementation to enable advanced analytics capabilities and has hands-on data science and machine learning experience.

Research Contributors

Bill Macgowan
Director, Smart Building Digitization
Cisco

Barry Wiech
Chief Digital and Information Officer
Sime Darby Industrial

Tim Dunn
Chief Information Officer
Department of Energy & Public Works (Queensland)

Sudip Ghosh
Group Manager, Office of the CIO
Star Entertainment Group

Samantha Rose
Contract Manager
Department of Energy & Public Works (Queensland)

Bibliography

Altringer, Beth. "A New Model for Innovation in Big Companies." Harvard Business Review. 19 Nov. 2013. Accessed 15 June 2023. https://hbr.org/2013/11/a-new-model-for-innovation-in-big-companies

Bar Am, Jordan et al. "Innovation in a Crisis: Why it is More Critical Than Ever." McKinsey & Company, 17 June 2020. Accessed 15 June 2023. https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/innovation-in-a-crisis-why-it-is-more-critical-than-ever

Barsh, Joanna et al. "Leadership and Innovation." McKinsey Quarterly, 1 Jan 2008. Accessed 7 July 2023. https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/leadership-and-innovation

Borealis AI. "RBC Wins Best Use of AI for Customer Experience for NOMI Forecast." Borealis AI Blog, 28 Apr 2023. Accessed 13 June 2023. https://www.borealisai.com/news/rbc-wins-best-use-of-ai-for-customer-experience-for-nomi-forecast/

Boston Consulting Group, "Most Innovative Companies 2022." BGC, 15 Sept. 2022. Accessed 15 June 2023. https://www.bcg.com/en-ca/publications/2022/innovation-in-climate-and-sustainability-will-lead-to-green-growth

BrainyQuote. "Innovation Quotes." Accessed 19 June 2023. https://www.brainyquote.com/topics/innovation-quotes

Christensen, Clayton M. The Innovator's Dilemma: When New Technologies Cause Great Firms to Fail. Harvard Business Review Press, 2016.

Cleroux, Pierre. The "I" Word. BDC. Accessed 1 Aug 2023. https://www.bdc.ca/en/articles-tools/blog/innovation-no-1-factor-business-success

FutureCIO Editors. "Failed transformation can result in US$6 million in lost revenue." FutureCIO, 29 Apr 2022. Accessed 10 Jul 2023. https://futurecio.tech/failed-transformation-can-result-in-us6-million-in-lost-revenue/

Goodreads. "W. Edwards Deming Quotes." Accessed 19 June 2023. https://www.goodreads.com/quotes/7327935-without-data-you-re-just-another-person-with-an-opinion

Haefner, Naomi et al. "Artificial intelligence and innovation management: A review, framework, and research agenda." Technological Forecasting and Social Change, Volume 162, 2021. Accessed 15 June 2023. https://www.sciencedirect.com/science/article/pii/S004016252031218X

IBM. "The new AI innovation equation." IBM Website. 13 Oct 2016. Accessed 15 June 2023. https://www.ibm.com/watson/advantage-reports/future-of-artificial-intelligence/ai-innovation-equation.html

Isomaki, Atte. "60+ Innovation Quotes and What They Can Teach You." Viima, 19 Mar 2019. Accessed 6 July 2023. https://www.viima.com/blog/innovation-quotes

Kay, Alan. "The best way to predict the future is to invent it." Quote Park, 3 June 2021. Accessed 15 June 2023. https://quotepark.com/quotes/1893243-alan-kay-the-best-way-to-predict-the-future-is-to-invent-it/

Kirsner, Scott. "The Biggest Obstacles to Innovation in Large Companies." Harvard Business Review, 30 July 2018. Accessed 15 June 2023. https://hbr.org/2018/07/the-biggest-obstacles-to-innovation-in-large-companies

Kiyosaki, Robert. "Innovation is key. Only those who have the agility to change with the market and innovate quickly will survive." AZ Quotes, 11 Dec. 2013. Accessed 15 June 2023.

Leadership IQ. "The State Of Leadership Development." Leadership IQ, 2020. Accessed 6 July 2023. https://www.leadershipiq.com/blogs/leadershipiq/leadership-development-state

Lombard, Charl. "Defining Digital: A New Approach to Digital Transformation." Info-Tech LIVE Conference, 2022. https://tymansgrpup.com/videos/defining-digital-a-new-approach-to-digital-transformation

Murphy, Mark. "A Shocking Number Of Leaders Are Not Aligned With Their Companies' Visions." Forbes, 28 Aug 2020. Accessed 6 Jul 2023. https://www.forbes.com/sites/markmurphy/2020/08/28/a-shocking-number-of-leaders-are-not-aligned-with-their-companies-visions

Seymour, Harriet et al. "How to unlock a scientific approach to change management with powerful data insights." IBM, 11 Jan 2023. Accessed 6 July 2023. https://www.ibm.com/blog/how-to-unlock-a-scientific-approach-to-change-management-with-powerful-data-insights/

Sinek, Simon. "What good is an idea if it remains an idea? Try. Experiment. Fail. Try again. Change the world." Praxie, n.d. https://praxie.com/top-innovation-quotes/

Stobierski, Tim. "The Advantages of Data-Driven Decision-Making." Harvard Business School Online, 26 Aug 2019. Accessed 6 July 2023. https://online.hbs.edu/blog/post/data-driven-decision-making

Torres, Roberto. "How tech leaders can earn C-suite trust." CIO Dive, 1 Jul 2022. Accessed 7 Jul 2023. https://www.ciodive.com/news/C-suite-trust-CIO-executives/626476/

Tushman, Michael et al. "Change Management Is Becoming Increasingly Data-Driven. Companies Aren't Ready." Harvard Business Review, 23 Oct 2017. Accessed 6 Jul 2023. https://hbr.org/2017/10/change-management-is-becoming-increasingly-data-driven-companies-arent-ready

Weick, Karl and Kathleen Sutcliffe. Managing the Unexpected: Sustained Performance in a Complex World, Third Edition. John Wiley & Sons, 2015.

Identify and Manage Strategic Risk Impacts on Your Organization

The world is in a perpetual state of change. Organizations need to build adaptive resiliency into their strategic plans to adjust to ever-changing market dynamics.

Analyst perspective

Organizations need to build flexible resiliency into their strategic plans to be able to adjust to ever-changing market dynamics.

Like most people, organizations are poor at assessing the likelihood of risk. If the past few years have taught us anything, it is that the probability of a risk occurring is far more flexible in the formula Risk = Likelihood * Impact than we ever thought possible. The impacts of these risks have been catastrophic, and organizations need to be more adaptive in managing them to strengthen their strategic plans.

Frank Sewell,
Research Director, Vendor Management
Info-Tech Research Group

Executive Summary

Your Challenge

Moreso than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their strategic plans to accommodate risk on an unprecedented level.

A new global change will impact your organizational strategy at any given time. So, make sure your plans are flexible enough to manage the inevitable consequences.

Common Obstacles

Identifying and managing a vendor’s potential strategic impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes affect strategic plans.

Organizational leadership is often taken unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals.

Info-Tech’s Approach

Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.

Prioritize and classify your vendors with quantifiable, standardized rankings.

Prioritize focus on your high-risk vendors.

Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Impacts Tool.

Info-Tech Insight

Organizations must evolve their strategic risk assessments to be more adaptive to respond to global changes in the market. Ongoing monitoring of the market and the vendors tied to company strategies is imperative to achieving success.

Info-Tech’s multi-blueprint series on vendor risk assessment

There are many individual components of vendor risk beyond cybersecurity.

This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

Out of Scope:

This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

Strategic risk impacts

Potential losses to the organization due to risks to the strategic plan

• In this blueprint, we’ll explore strategic risks (risks to the Strategic Plans of the organization) and their impacts.
• Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to correct strategic plans.

The world is constantly changing

The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

Below are some things no one expected to happen in the last few years:

62%

of IT professionals are more concerned about being a victim of ransomware than they were a year ago.

82%

of Microsoft’s non-essential employees shifted to working from home in 2020, joining the 18% already remote.

89%

of organizations invested in web conferencing technology to facilitate collaboration.

Source: Info-Tech Tech Trends Survey 2022

Strategic risks on a global scale

Odds are at least one of these is currently affecting your strategic plans

• Vendor Acquisitions
• Global Pandemic
• Global Shortages
• Gas Prices
• Poor Vendor Performance
• Travel Bans
• War
• Natural Disasters
• Supply Chain Disruptions
• Security Incidents

Make sure you have the right people at the table to identify and plan to manage impacts.

Identify & manage strategic risks

Global Pandemic

Very few people could have predicted that a global pandemic would interrupt business on the scale experienced today. Organizations should look at their lessons learned and incorporate adaptable preparations into their strategic planning moving forward.

Vendor Acquisitions

The IT market is an ever-shifting environment. Larger companies often gobble up smaller ones to control their sectors. Incorporating plans to manage those shifts in ownership will be key to many strategic plans that depend on niche vendor solutions for success. Be sure to monitor the potentially affected markets on an ongoing cadence.

Global Shortages

Organizations need to accept that shortages will recur periodically and that preparing for them will significantly increase the success potential of long-term strategic plans. Understand what your business needs to stock for project needs and where those supplies are located, and plan how to rapidly access and distribute them as required if supply chain disruptions occur.

What to look for in vendors

Identify strategic risk impacts

• A vendor acquires many smaller, seemingly irrelevant IT products. Suddenly their revenue model includes aggressive license compliance audits.
  • Ensure that your installed software meets license compliance requirements with good asset management practices.
  • Monitor the market for such acquisitions or news of audits hitting companies.
• A vendor changes their primary business model from storage and hardware to becoming a self-proclaimed “professional services guru,” relying almost entirely on their name recognition to build their marketing.
  • Be wary of self-proclaimed experts and review their successes and failures with other organizations before adopting them into your business strategy.
  • Review the backgrounds their “experts” have and make sure they have the industry and technical skill sets to perform the services to the required level.

Not preparing for your growth can delay your goals

Why can’t I get a new laptop?

For example:

• An IT professional services organization plans to take advantage of the growing work-from-home trend to expand its staff by 30% over the coming year.
• Logically, this should include a review of the necessary tasks involved, including onboarding.
  • Suppose the company does not order enough equipment in preparation to cover the new staff plus routine replacement. In that case, this will delay the output of the new team members immeasurably as they wait for their company equipment and will delay existing staff whose equipment breaks, preventing them from getting back to work efficiently.

Sometimes an organization has the right mindset to take advantage of the changes in the market but can fail to plan for the particulars.

When your strategic plan changes, you need to revisit all the steps in the processes to ensure a successful outcome.

Strategic risks

Poor or uninformed business decisions can lead to organizational strategic failures

• Supply chain disruptions and global shortages
  • Geopolitical disruptions and natural disasters have caused unprecedented interruptions to business. Incorporate forecasting of product and ongoing business continuity planning into your strategic plans to adapt as events unfold.
• Poor vendor performance
  • Consider the impact of a vendor that fails to perform midway through the implementation. Organizations need to be able to manage the impact of replacing that vendor and cutting their losses rather than continuing to throw good money away after bad performance.
• Vendor acquisitions
  • A lot of acquisition is going on in the market today. Large companies are buying competitors and either imposing new terms on customers or removing the competing products from the market. Prepare options for any strategy tied to a niche product.

It is important to identify potential risks to strategic plans to manage the risk and be agile enough in planning to adapt to the changing environments.

Info-Tech Insight
Few organizations are good at identifying risks to their strategic plan. As a result, almost none realistically plan to monitor, manage, and adapt their strategies to those risks.

Prepare your strategic risk management for success

Due diligence will enable successful outcomes

1. Obtain top-level buy-in; it is critical to success.
2. Build enterprise risk management (ERM) through incremental improvement.
3. Focus initial efforts on the “big wins” to prove the process works.
4. Use existing resources.
5. Build on any risk management activities that already exist in the organization.
6. Socialize ERM throughout the organization to gain additional buy‑in.
7. Normalize the process long term with ongoing updates and continuing education for the organization.

(Adapted from COSO)

How to assess strategic risk

1. Review Organizational Strategy
   Understand the organizational strategy to prepare for the “What If” game exercise.
2. Identify & Understand Potential Strategic Risks
   Play the “What If” game with the right people at the table.
3. Create a Risk Profile Packet for Leadership
   Pull all the information together in a presentation document.
4. Validate the Risks
   Work with leadership to ensure that the proposed risks are in line with their thoughts.
5. Plan to Manage the Risks
   Lower the overall risk potential by putting mitigations in place.
6. Communicate the Plan
   It is important not only to have a plan but also to socialize it in the organization for awareness.
7. Enact the Plan
   Once the plan is finalized and socialized, put it in place with continued monitoring for success.
   

Insight summary

Insight 1

Organizations build portions of their strategies around chosen vendors and should protect those plans against the risks of unforeseen acquisitions in the market.
Is your vendor solvent? Does it have enough staff to accommodate your needs? Has its long-term planning been affected by changes in the market? Is it unique in its space?

Insight 2

Organizations’ strategic plans need to be adaptable to avoid vendors’ negative actions causing an expedited shift in priorities.
For example, Philip's recall of ventilators impacted its products and the availability of its competitor’s products as demand overwhelmed the market.

Insight 3

Organizations need to become better at risk assessment and actively manage the identified risks to their strategic plans.
Few organizations are good at identifying risks to their strategic plan. As a result, almost none realistically plan to monitor, manage, and adapt their strategies to those risks.

Strategic risk impacts are often unanticipated, causing unforeseen downstream effects. Anticipating the potential changes in the global IT market and continuously monitoring vendors’ risk levels can help organizations modify their strategic alignment with the new norms.

Identifying strategic risk

Who should be included in the discussion

• While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
• Getting input from operational experts at your organization will enhance the long-term potential for success of your strategies.
• Involving those who directly manage vendors and understand the market will aid operational experts in determining the forward path for relationships with your current vendors and identifying new emerging potential strategic partners.

Review your strategic plans for new risks and evolving likelihood on a regular basis.

Keep in mind Risk = Likelihood x Impact (R=L*I).

Impact (I) tends to remain the same, while Likelihood (L) is a very flexible variable.

See the blueprint Build an IT Risk Management Program

Managing strategic risk impacts

What can we realistically do about the risks?

• Review business continuity plans and disaster recovery testing.
• Institute proper contract lifecycle management.
• Re-evaluate corporate policies frequently.
• Develop IT governance and change control.
• Ensure strategic alignment in contracts.
• Introduce continual risk assessment to monitor the relevant vendor markets.
  • Regularly review your strategic plans for new risks and evolving likelihood.
  • Risk = Likelihood x Impact (R=L*I)
    • Impact (I) tends to remain the same and be well understood, while Likelihood (L) turns out to be highly variable.
• Be adaptable and allow for innovations that arise from the current needs.
  • Capture lessons learned from prior incidents to improve over time, and adjust your strategy based on the lessons.

Organizations need to be reviewing their strategic risk plans considering the likelihood of incidents in the global market.

Pandemics, extreme weather, and wars that affect global supply chains are a current reality, not unlikely scenarios.

Ongoing Improvement

Incorporating lessons learned

• Over time, despite everyone’s best observations and plans, incidents will catch us off guard.
• When it happens, follow your incident response plans and act accordingly.
• An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
• Use the lessons learned document to devise, incorporate, and enact a better risk management process.

Sometimes disasters occur despite our best plans to manage them.

When this happens, it is important to document the lessons learned and improve our plans going forward.

The “what if” game

1-3 hours

Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

1. Break into smaller groups (or if too small, continue as a single group).
2. Use the Strategic Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
3. Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

Download the Strategic Risk Impact Tool

Case Study

Airline Industry Strategic Adaptation

Industry: Airline

Impact categories: Pandemic, Lockdowns, Travel Bans, Increased Fuel Prices

• In 2019 the airline industry yielded record profits of $35.5 billion.
• In 2020 the pandemic devastated the industry with losses around $371 billion.
• The industry leaders engaged experts to conduct a study on how the pandemic impacted them and propose measures to ensure the survival of their industry in the future after the pandemic.
• They determined that “[p]recise decision-making based on data analytics is essential and crucial for an effective Covid-19 airline recovery plan.”

Results

The pandemic prompted systemic change to the overall strategic planning of the airline industry.

Summary

Be vigilant and adaptable to change

• Organizations need to learn how to assess the likelihood of potential risks in the changing global world.
• Those organizations that incorporate adaptive risk management processes can prepare their strategic plans for greater success.
• Bring the right people to the table to outline potential risks in the market.
• Socialize the risk management process throughout the organization to heighten awareness and enable employees to help protect the strategic plan.
• Incorporate lessons learned from incidents into your risk management process to build better plans for future issues.

Organizations must evolve their strategic risk assessments to be more adaptive to respond to global changes in the market.

Ongoing monitoring of the market and the vendors tied to company strategies is imperative to achieving success.

Related Info-Tech Research

Identify and Manage Financial Risk Impacts on Your Organization

• Vendor management practices educate organizations on the different potential financial impacts that vendors may incur and suggest systems to help manage them.
• Prioritize and classify your vendors with quantifiable, standardized rankings.
• Prioritize focus on your high-risk vendors.
• Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

Identify and Reduce Agile Contract Risk

• Customer maturity levels with Agile are low, with 67% of organizations using Agile for less than five years.
• Customer competency levels with Agile are also low, with 84% of organizations stating they are below a high level of competency.
• Contract disputes are the number one or two types of disputes faced by organizations across all industries.

Build an IT Risk Management Program

• Transform your ad hoc IT risk management processes into a formalized, ongoing program, and increase risk management success.
• Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
• Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks most critical to the organization.

Bibliography

Olaganathan, Rajee. “Impact of COVID-19 on airline industry and strategic plan for its recovery with special reference to data analytics technology.” Global Journal of Engineering and Technology Advances, vol 7, no 1, 2021, pp. 033-046.

Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, 23 Aug. 2012.

Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.

Research Contributors and Experts

• Frank Sewell
  Research Director, Info-Tech Research Group
• Steven Jeffery
  Principal Research Director, Info-Tech Research Group
• Scott Bickley
  Practice Lead, Info-Tech Research Group
• Donna Glidden
  Research Director, Info-Tech Research Group
• Phil Bode
  Principal Research Director, Info-Tech Research Group
• David Espinosa
  Senior Director, Executive Services, Info-Tech Research Group
• Rick Pittman
  Vice President, Research, Info-Tech Research Group
• Patrick Philpot
  CISSP
• Gaylon Stockman
  Vice President, Information Security
• Jennifer Smith
  Senior Director

Embed Business Relationship Management in IT

Show that IT is worthy of Trusted Partner status.

Executive Brief

Analyst Perspective

Relationships are about trust.

As long as humans are involved in enabling technology, it will always remain important to ensure that business relationships support business needs. At the cornerstone of those relationships is trust and the establishment of business value. Without trust, you won’t be believed, and without value, you won’t be invited to the business table.

Business relationship management can be a role, a capability, or a practice – either way it’s essential to ensure it exists within your organization. Show that IT can be a trusted partner by showing the value that IT offers.

Allison Straker Research Director, CIO Practice Info-Tech Research Group

Your challenge: Why focus on business relationship management?

Is IT saying this about business partners? I don’t know what my business needs and so we can’t add as much value as we’d like. My partners don’t give us the opportunity to provide new ideas to solve business problems My partners listen to third parties before they listen to IT. We’re too busy and don’t have the capacity to help my partners.

Are business partners saying this about IT? IT does not create and deliver valuable services/solutions that resolve my business pain points. IT does not come to me with innovative solutions to my business problems/challenges/issues. IT blocks my efforts to drive the business forward using innovative technology solutions. IT does not advocate for my needs with the decision makers in the organization.

Common obstacles

While organizations realize they need to do better, they often don’t know how to improve.

Organizations want to:

• Understand and strategically align to business goals
• Ensure stakeholders are satisfied
• Show project value/success

… these are all things that a mature business relationship can do to improve your organization.

Key improvement areas identified by business leaders and IT leaders

Info-Tech’s approach

BRMs who focus on achieving business value can improve organizational results.

Business relationships can take a strategic, tactical, or operational perspective.

While all levels are needed, focus on a strategic perspective for optimal outcomes.

Create business value through:

• Applying your knowledge of the business so that conversations aren’t about what IT provides. Focus on what the overall business requires.
• Ensuring your knowledge includes what is going on internally at your organization and also what occurs externally within and outside the industry (e.g. vendors, technologies used in similar industries or with similar customer interactions).
• Discussing with the perspective of “what’s in it for [insert business partner here]” – don’t just present IT’s views.
• Building a trusted strategic relationship – don’t just do well at the basics but also focus on the strategy that can move the organization to where it needs to be.

Neither you nor your partners can view IT as separate from your overall business…

…your IT goals need to be aligned with those of the overall business

IT and other lines of business need to partner together – they are all part of the same overall business.

Why it’s important to establish a BRM program

	IT Benefits Provides IT with a view of the lines of business they empower Allows IT to be more proactive in providing solutions that help business partner teams Allows IT to better manage their workload, as new requests can be prioritized and understood	Business Benefits Provides business teams with a view of the services that IT can help them with Brings IT to the table with value-driven solutions Creates an overall roadmap aligning both partners
	Drive business value into the organization via innovative technology solutions. Improve ability to meet and exceed business goals and objectives, resulting in more satisfied stakeholders (C-suite, board of directors). Enhance ability to execute business activities to meet end-customer requirements and expectations, resulting in more satisfied customers. Increase your business benefits by moving up higher – from operational to tactical to strategic.

When IT understands the business, they provide better value

Understanding all parties – including the business needs and context – is critical to effective business relationships.

Establishing a focus on business relationship management is key to improving IT satisfaction.

When business partners are satisfied that IT understands their needs, they have a higher perception of the value of overall IT

The relationship between the perception of IT value and business satisfaction is strong (r=0.89). Can you afford not to increase your understanding of business needs?

(Source: Info-Tech Research Group diagnostic data/Business-Aligned IT Strategy blueprint (N=652 first-year organizations that completed the CIO Business Vision diagnostic))

BRM success is measurable

1) Survey your stakeholders to measure improvements in customer satisfaction		2) Measure BRM success against the goals for the practice
Business satisfaction survey Audience: Business leaders Frequency: Annual Metrics: Overall Satisfaction score Overall Value score Relationship Satisfaction: Understand needs Meet needs Communication

Maturing your BRM practice is a journey

Info-Tech has developed an approach that can be used by any organization to improve or successfully implement BRM.	Become a Trusted Partner and Advisor
	KNOWLEDGE OF INDUSTRY STRATEGIC	Value Creator and Innovator Strategic view of IT and the business with knowledge of the market and trends; a connector driving value-added services.
	KNOWLEDGE OF FUNCTIONS TACTICAL	Influencer and Advocate Two-way voice between IT and business, understanding business processes and activities including IT touchpoints and growing tactical and strategic view of services and value.
	TABLE STAKES: COMMUNICATION SERVICE DELIVERY PROJECT DELIVERY OPERATIONAL	Deliver Communication, service, and project delivery and fulfillment, initial engagement with and knowledge of the business.
Foundation: Define and communicate the meaning and vision of BRM

At each level, keep maturing your BRM practice

(Adapted from BRM Institute Maturity Model and Info-Tech’s own model)

The Info-Tech path to implement BRM

Use Info-Tech’s ASPIRe method to create a continuously improving BRM practice.

Insight summary

BRM is not just about communication, it’s about delivering on business value.

Business relationship management isn’t just about having a pleasant relationship with stakeholders, nor is it about just delivering things they want. It’s about driving business value in everything that IT does and leveraging relationships with the business and IT, both within and outside your organization.

Understand your current state to determine the best direction forward.

Every organization will apply the BRM practice differently. Understand what’s needed within your organization to create the best fit.

BRM is not just a communication conduit between IT and the business.

When implemented properly, a BRM is a value creator, advocate, innovator, and influencer.

The BRM role must be designed to match the maturity level of the IT organization and the business.

Before you can create incremental business value, you must master the fundamentals of service and project delivery.

Info-Tech Insight

Knowledge of your current situation is only half the battle; knowledge of the business/industry is key.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key deliverable: Executive Buy-In and Communication Presentation Template Explain the need for the BRM practice and obtain buy-in from leadership and staff across the organization.	BRM Workbook Capture the thinking behind your organization’s BRM program.		BRM Stakeholder Engagement Plan Worksheet Worksheet to capture how the BRM practice will engage with stakeholders across the organization.
	BRM Role Expectations Worksheet How business relationship management will be supported throughout the organization at a strategic, tactical, and operational level.

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

What does a typical GI on this topic look like?

ASSESS

To assess BRM, clarify what it means to you

Who are BRM relationships with?		The BRM has multiple arms/legs to ensure they’re aligned with multiple parties – the partners within the lines of business, external partners, and technology partners.
What does a BRM do?	Engage the right stakeholders – orchestrate key roles, resources, and capabilities to help stimulate, shape, and harvest business value. Connect partners (IT and other business) with the resources needed. Help stakeholders navigate the organization and find the best path to business value.
What does a BRM focus on?		Demand Shaping – Surfacing and shaping business demand Value Harvesting – Identifying ways to increase business value and providing insights Exploring – Rationalizing demand and reviewing new business, technology, and industry insights Servicing – Managing expectations and facilitating business strategy; business capability road mapping

Determine what business relationship management is

Many organizations face business dissatisfaction because they do not understand what the role of a BRM should be.

1.1 What is BRM?

Input: Your preliminary thoughts and ideas on BRM

Output: Themes summarizing what BRM will be at your organization

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Each team member will take a colored sticky note to capture what BRM is and what it isn’t.
2. As a group, review and discuss the sticky notes.
3. Group them into themes summarizing what BRM will be at your organization.
4. Leverage the workbook to brainstorm the definition of BRM at your organization.
5. Create a refined summary statement and capture it in the Executive Buy-In and Communication Template.

Download the BRM Workbook

Download the Executive Buy-In and Communication Template

It’s important to understand what the business thinks; ask them the right questions

Leverage the CIO Business Vision Diagnostic to provide clarity on: The organization’s view on satisfaction and importance of core IT services Satisfaction across business priorities IT’s capacity to meet business needs Contact your Account Representative to get started

1.2 Use their responses to help guide your BRM program

1 hour

Input: CIO-Business Vision Diagnostic, Other business feedback

Output: Summary of your partners’ view of the IT relationship

Materials: Whiteboard/flip charts (physical or electronic)

Participants: CIO, IT management team

1. Complete the CIO Business Vision diagnostic.
2. Analyze the findings from the Business Vision diagnostic or other business relationship and satisfaction surveys. Key areas to look at include:
   • Overall IT Satisfaction
   • IT Value
   • Relationship (Understands Needs, Communicates Effectively, Executes Requests, Trains Effectively)
   • Shadow IT
   • Capacity Needs
   • Business Objectives
3. Capture the following on your analysis:
   • Success stories – what your business partners are satisfied with
   • Challenges – are the responses consistent across departments?
4. Leverage the workbook to capture your findings the goals. Key highlights should be documented in the Executive Buy-In and Communication Template.

Use the BRM Workbook to capture ideas

Polish the goals in the Executive Buy-In and Communication Template

Perform a SWOT analysis to explore internal and external business factors

A SWOT analysis is a structured planning method organizations use to evaluate the effects of internal strengths and weaknesses and external opportunities and threats on a project or business venture.

Why It Is Important

• Business SWOT reveals internal and external trends that affect the business. You may uncover relevant information about the business that the other analysis methods did not reveal.
• The organizational strengths or weaknesses will shed some light on implications that you might not have considered otherwise, such as brand perception or internal staff capability to change.

Key Tips/Information

• Although this activity is simple in theory, there is much value to be gained when performed effectively.
• Focus on weaknesses that can cause a competitive disadvantage and strengths that can cause a competitive advantage.
• Rank your opportunities and threats based on impact and probability.
• Info-Tech members who have derived the most insights from a business SWOT analysis usually involved business stakeholders in the analysis.

Review these questions to help you conduct your SWOT analysis on the business

1.3 Analyze internal and external business factors using a SWOT analysis

1 hour

Input: IT and business stakeholder expertise

Output: Analysis of internal and external factors impacting the IT organization

Materials: Whiteboard/flip charts (physical or electronic)

Participants: CIO, IT management team

1. Break the group into two teams:
   • Assign team A internal strengths and weaknesses.
   • Assign team B external opportunities and threats.
2. Think about strengths, weaknesses, opportunities, and threats as they pertain to the IT-business relationship. Consider people, process, and technology elements.
3. Have the teams brainstorm items that fit in their assigned grids. Use the prompt questions on the previous slide as guidance.
4. Pick someone from each group to fill in the SWOT grid.
5. Conduct a group discussion about the items on the list; identify implications for the BRM/IT.

Capture in the BRM Workbook

SITUATE

Your strategy informs your BRM program

Your strategy is a critical input into your program. Extract critical components of your strategy and convert them into a set of actionable principles that will guide the selection of your operating model.

Vision, Mission & Principles Leverage your vision and mission statements that communicate aspirations and purpose for key information that can be turned into design principles. Business Goal Implications Implications are derived from your business goals and will provide important context about the way BRM needs to change to meet its overarching objectives. Understand how those implications will change the way that work needs to be done – new capabilities, new roles, new modes of delivery, etc. Target-State Maturity Determine your target-state relationship maturity for your organization using the BRM goals that have been uncovered.

Outline your mission and vision for your BRM practice

If you don’t know where you’re trying to go, how do you know if you’ve arrived?

Establish the vision of what your BRM practice will achieve.

Your vision will paint a picture for your stakeholders, letting them know where you want to go with your BRM practice.

The vision will also help motivate and inspire your team members so they understand how they contribute to the organization. Your strategy must align with and support your organization’s strategy.

Good Visions Attainable – Aspirational but still within reach Communicable – Easy to comprehend Memorable – Not easily forgotten Practical – Solid, realistic Shared – Create a culture of shared ownership across the team/company

When Visions Fail Not Shared: Lack of buy-in, no alignment with stakeholders Impractical: No plan or strategy to deliver on the vision Unattainable: Set too far in the future Forgettable: Not championed, not kept in mind (Source: UX Magazine, 2011)

Derive the BRM vision statement

Begin the process of deriving the business relationship management vision statement by examining your business and user concerns. These are the problems your organization is trying to solve. Problem Statements First, ask what problems your organization hopes to solve. Analysis Second, ask what success would look like when those problems were solved. Vision Statement Third, polish the answer into a short but meaningful phrase. Paint the picture for your team and stakeholders so that they align on what BRM will achieve.

Vision statements demonstrate what your practice “aspires to be”

Your vision statement communicates a desired future state of the BRM organization. The statement is expressed in the present tense. It seeks to articulate the desired role of business relationship management and how it will be perceived.

Sample vision statements:

• To be a trusted advisor and partner in enabling business innovation and growth through an engaged design practice.
• The group will strive to become a world-class value center that is a catalyst for innovation.
• Apple: “We believe that we are on the face of the earth to make great products and that’s not changing.” (Mission Statement Academy, May 2019.)
• Coca-Cola: “To refresh the world in mind, body, and spirit, to inspire moments of optimism and happiness through our brands and actions, and to create value and make a difference.” (Mission Statement Academy, August 2019.)

2.1 Vision generation

1 hour

Input: IT and business strategies

Output: Vision statement

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Review the goals and the sample vision statements provided on the previous slide.
2. Brainstorm possible vision statements that can apply to your practice. Refer to the guidance provided on the previous page – ensure that it paints a picture for the reader to show the desired target state.
3. Leverage the workbook to brainstorm the vision. Capture the refined statement in the Executive Buy-In and Communication Template.

Use the BRM Workbook to capture ideas

Polish the goals in the Executive Buy-In and Communication Template

Create the mission statement from the problems and the vision statement

Your mission demonstrates your current intent and the purpose driving you to achieve your vision.

It reflects what the organization does for users/customers.

Make sure the practice’s mission statement reflects answers to the questions below: The questions: What does the organization do? How does the organization do it? For whom does the organization do it? What value is the organization bringing?

“A mission statement illustrates the purpose of the organization, what it does, and what it intends on achieving. Its main function is to provide direction to the organization and highlight what it needs to do to achieve its vision.” (Joel Klein, BizTank (in Hull, “Answer 4 questions to get a great mission statement.”))

2.2 Develop your own mission statement

1 hour

Input: IT and business strategies, Vision

Output: Mission statement

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Review the goals and the vision statement generated in the previous activities.
2. Brainstorm possible mission statements that can apply to your BRM practice. Capture this in your BRM workbook.
3. Refine your mission statement. Refer to the guidance provided on the previous page – ensure that the mission provides “the why”. Document the refined mission statement in the Executive Buy-In and Communication Template.

“People don't buy what you do; they buy why you do it and what you do simply proves what you believe.” (Sinek, Transcript of “How Great Leaders Inspire Action.”)

Download the BRM Workbook

Download the Executive Buy-In and Communication Template

Areas that BRMs focus on include:

Establish how much of these your practice will focus on.

VALUE HARVESTING Tracks and reviews performance Identifies ways to increase business value Provides insights on the results of business change/initiatives		DEMAND SHAPING Isn’t just demand/intake management Surfaces and shapes business demand Is influenced by knowledge of the overall business and external entities
SERVICING Coordinates resources Manages expectations Facilitates business strategy, business capability road-mapping, and portfolio and program management		EXPLORING Identifies and rationalizes demand Reviews new business, technology, and industry insights Identifies business value initiatives

Establish what success means for your focus areas

Brainstorm objectives and success areas for your BRM practice.

	VALUE HARVESTING Success may mean that you: Understand the drivers and what the business needs to attain Demonstrate focus on value in discussions Ensure value is achieved, tracking it during and beyond deployment	DEMAND SHAPING Success may mean that you: Understand the business Are engaged at business meetings (invited to the table) Understand IT; communicate clarity around IT to the business Help IT prioritize needs
	SERVICING Success may mean that you: Understand IT services and service levels that are required Provide clarity around services and communicate costs and risks	EXPLORING Success may mean that you: Surface new opportunities based on understanding of pain points and growth needs Research and partner with others to further the business Engage resources with a focus on the value to be delivered

2.3 Establish BRM goals

1 hour

Input: Mission and vision statements

Output: List of goals

Materials: Whiteboard/flip charts (physical or electronic)

Participants: CIO, IT management team, BRM team

1. Use the previous slides as a starting point – review the focus areas and sample associated objectives.
2. Determine if all apply to your role.
3. Brainstorm the objectives for your BRM practice.
4. Discuss and refine the objectives and goals until the team agrees on your starting set.
5. Leverage the workbook to establish the goals. Capture refined goals in the Executive Buy-In and Communication Template.

Download the BRM Workbook

Download the Executive Buy-In and Communication Template

PLAN

Guiding principles help you focus the development of your practice

3.1 Establish guiding principles (optional activity)

Input: Mission and vision statements

Output: BRM guiding principles

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Think about strengths, weaknesses, opportunities, and threats as well as the overarching goals, mission, and vision.
2. Identify a set of principles that the BRM practice should have. Guiding principles are shared, long-lasting beliefs that guide the use of business relationship management in your organization.

Download the BRM Workbook

Download the Executive Buy-In and Communication Template

Establish the BRM partner model and alignment

Having the right model and support is just as important as having the right people.

Don’t boil the ocean: Start small

It may be useful to pilot the BRM practice with a small group within the organization – this gives you the opportunity to learn from the pilot and share best practices as you expand your BRM practice. You can leverage the pilot business unit’s feedback to help obtain buy-in from additional groups. Evaluate the approaches for your pilot:	Work With an Engaged Business Unit This approach can allow you to find a champion group and establish quick wins.	Target Underperforming Area(s) This approach can allow you to establish significant wins, providing new opportunities for value.
	Target the Area(s) Driving the Most Business Value Provide the largest positive impact on your portfolio’s ability to drive business value; for large strategic or transformative goals.	Work Across a Single Business Process This approach addresses a single business process or operation that exists across business units, departments, or locations. This, again, will allow you to limit the number of stakeholders.

Leverage BRM goals to determine where the role fits within the organization

Strategic BRMs are considered IT leaders, often reporting to the CIO.

In product-aligned organizations, the product owners will own the strategic business relationship from a product perspective (often across LOB), while BRMs will own the strategic role for the line(s) of businesses (often across products) that they hold a relationship with. The BRM role may be played by a product family leader.

BRMs may take on a more operational function when they are embedded within another group, such as the PMO. This manifests in:

• Accountability for projects and programs
• BRM conversations around projects and programs rather than overall needs
• Often, there is less focus on stimulating need, more about managing demand
• This structure may be useful for smaller organizations or where organizations are piloting the relationship capability

Use the IT structure and the business structure to determine how to align BRM and business partners. Many organizations ensure that each LOB has a designated BRM, but each BRM may work with multiple LOBs. Ensure your alignment provides an even and manageable distribution of work.

Don’t be intimidated by those who play a significant role in relationship management

	Business Relationship Manager: Portfolio View Ongoing with broader organization-wide objectives A BRM’s strategic perspective is focused across projects and products	The BRM will look holistically across a portfolio, rather than on specific projects or products. Their focus is ensuring value is delivered that impacts the overall organization. Multiple BRMs may be responsible for lines of businesses and ensure that products and project enable LOBs effectively.
	Business Analyst: Product or Project View Works within a project or product Accomplishes specific objectives within the project/product	The BA tends to be involved in project work – to that end, they are often brought in a bit before a project begins to better understand the context. They also often remain after the project is complete to ensure project value is delivered. However, their main focus is on delivering the objectives within the project.
	Product Owner: Product View Ongoing and strategic view of entire product, with product-specific objectives	The Product Owner bridges the gap between the business and delivery to ensure their product continuously delivers value. Their focus is on the product.

3.2 Establish the BRM’s place in the organizational structure

Input: BRM goals, IT organizational structure, Business organizational structure

Output: BRM operating model

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Review the current organizational structure – both IT and overall business.
2. Think about the maturity of the IT organization and what you and your partners will be able to support at this stage in the relationship or journey. Establish whether it is necessary to start with a pilot.
3. Consider the reporting relationship that is required to support the desired maturity of your practice – who will your BRM function report into?
4. Consider the distribution of work from your business partners. Establish which BRM is responsible for which partners.
5. Document where the BRM fits in the organization in the Executive Buy-In and Communication Template.

Download the BRM Workbook

Download the Executive Buy-In and Communication Template

Align your titles to your business partners and ensure it demonstrates your strategic goals

Determine the expectations for your BRM role(s)

Below are standard expectations from BRM job descriptions. Establish whether there are changes required for your organization.

Determine role expectations (slide 2 of 3)

Determine role expectations (slide 3 of 3)

3.3 Establish BRM expectations

Input: BRM goals

Output: BRM expectations

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Review the BRM expectations on the previous slides.
2. Customize them – are they the appropriate set of expectations needed for your organization? What needs to be edited in or out?
3. Add relevant expectations – what are the things that need to be done in the BRM practice at your organization?
4. Leverage the workbook to brainstorm BRM expectations. Make sure you update them in the BRM Role Expectation Spreadsheet.

Download the BRM Workbook

Download the Executive Buy-In and Communication Template

3.4 Identify roles with BRM responsibilities

Input: BRM goals

Output: BRM-aligned roles

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Various roles can play a part in the BRM practice, managing business relationships. Which ones make sense in your organization, given the BRM goals?
2. Identify the roles and capture in the BRM Role Expectation Spreadsheet. Use the Role Expectation Alignment tab, row 1.

Download the Role Expectations Worksheet

Determine the focus for each role that may manage business relationships

	STRATEGIC	Sets Direction: Focus of the activities is at the holistic, enterprise business level	“relating to the identification of long-term or overall aims and interests and the means of achieving them”	e.g. builds overarching relationships to enable and support the organization’s strategy; has strategic conversations
	TACTICAL	Figures Out the How: Focuses on the tactics required to achieve the strategic focus	“skillful in devising means to ends”	e.g. builds relationships specific to tactics (projects, products, etc.)
	OPERATIONAL	Executes on the Direction: Day-to-day operations; how things get done	“relating to the routine functioning and activities of a business or organization”	e.g. builds and leverages relationships to accomplish specific goals (within a project or product)

3.5 Align BRM capabilities to roles

Input: Current-state model, Business value matrix, Objectives and goals

Output: BRM-aligned roles

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Review each group of role expectations – Act as a Relationship Manager, Communicate with Business Stakeholders, etc. For each group, determine the focus each role can apply to it – strategic, tactical, or operational. Refer to the previous slide for examples.
2. Capture on the spreadsheet:
   • S – This role is required to have a strategic view of the capabilities. They are accountable and set direction for this aspect of relationship management.
   • T – Indicate if the role is required to have a tactical view of the capabilities. This would include whether the role is required to figure out how the capabilities will be done; for example, is the role responsible for carrying out service management or are they just involved to ensure that that set of expectations are being performed?
   • O – Indicate if the role will have an operational view – are they the ones responsible for doing the work?
   • Note: In some organizations, a role may have more than one of these.
3. The spreadsheet will highlight the cells in green if the role plays more of the strategic role, yellow for tactical, and brown for operational. This provides an overall visual of each role’s part in relationship management.
4. (Optional) Review each detailed expectation within the group. Evaluate whether specific roles will have a different focus on the unique role expectations.

Leverage the Role Expectations Worksheet

Sample role expectation alignment

IMPLEMENT

Speak the same language as your partners: Business Value

Business value represents the desired outcome from achieving business priorities.

Value is not only about revenue or reduced expenses. Use this internal-external and capability-financial business value matrix to more holistically consider what is valuable to stakeholders.

Improved Capabilities Enhance Services Products and services that enable business capabilities and improve an organization’s ability to perform its internal operations. Increase Customer Satisfaction Products and services that enable and improve the interaction with customers or produce practical market information and insights. Inward Outward Save Money Products and services that reduce overhead. They typically are less related to broad strategic vision or goals and more simply limit expenses that would occur had the product or service not put in place. Make money (Return on Investment) Products and services that are specifically related to the impact on an organization’s ability to create a return on investment. Financial Benefits

Business Value Matrix Axes: Financial Benefits vs. Improved Capabilities Improved capabilities refers to the enhancement of business capabilities and skill sets. Financial Benefits refers to the degree in which the value source can be measured through monetary metrics and is often highly tangible. Inward vs. Outward Orientation Inward refers to value sources that have an internal impact an organization’s effectiveness and efficiency in performing its operations. Outward refers to value sources that come from interactions with external factors, such as the market or your customers.

4.1 Activity: Brainstorm sources of business value

Input: Product and service knowledge, Business process knowledge

Output: Understanding of different sources of business value

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Identify your key stakeholders. These individuals are the critical business strategic partners in the organization’s governing bodies.
2. Brainstorm the different types of business value that the BRM practice can produce.
3. Is the item more focused on improving capabilities or generating financial benefits?
4. Is the item focused on the customers you serve or the IT team?
5. Enter your value item into a cell on the Business Value Matrix based on where it falls on these axes.
6. Start to think about metrics you can use to measure how effective the product or service is at generating the value source.

Use the BRM Workbook to capture sources of business value

Brainstorm the different sources of business value (continued)

See appendix for more information on value drivers:

Example: Enhance Services Dashboards/IT Situational Awareness Improve measurement of services for data-driven analytics that can improve services Collaborate to support Enterprise Architecture Approval for and support of new applications per customer demand Provide consultation for IT issues Reach Customers Provide technology roadmaps for IT services and devices Improved "PR" presence: websites, service catalog, etc. Enhance customer experience Faster Time-to-market delivering innovative technologies and current services Reduce Costs Achieve better pricing through enterprise agreements for IT services that are duplicated across several orgs Prioritization/ development of roadmap Portfolio management / reduce duplication of services Evolve resourcing strategies to integrate teams (e.g. do more with less) Return on Investment Customer -focused dashboards Encourage use of centralized services through external collaboration capabilities that fit multiple use cases Devise strategies for measured/supported migration from older IT systems/software

Implications of ineffective stakeholder management

Cheat Sheet: Identify stakeholders

Ask stakeholders “who else should I be talking to?” to discover additional stakeholders and ensure you don’t miss anyone.

List the people who are identified through the following questions:		Take a 360-degree view of potential internal and external stakeholders who might be impacted by the initiative.
Who will be adversely affected by potential environmental and social impacts in areas of influence that are affected by what you are doing? At which stage will stakeholders be most affected (e.g. procurement, implementation, operations, decommissioning)? Will other stakeholders emerge as the phases are started and completed? Who is sponsoring the initiative?	Who benefits from the initiative? Who loses from the initiative? Who can make approvals? Who controls resources? Who has specialist skills? Who implements the changes? Who are the owners, governors, customers, and suppliers to impacted capabilities or functions?	Executives Peers Direct reports Partners Customers		Subcontractors Suppliers Contractors Lobby groups Regulatory agencies

Establish your stakeholder network “map”

Follow the trail of breadcrumbs from your direct stakeholders to their influencers to uncover hidden stakeholders.

Your stakeholder map defines the influence landscape your BRM team operates in. It is every bit as important as the teams who enhance, support, and operate your products directly.

Notes on the network map

• Pay special attention to influencers who have many arrows; they are called “connectors,” and due to their diverse reach of influence, should themselves be treated as significant stakeholders.
• Don’t forget to consider the through-lines from one influencer through intermediate stakeholders or influencers to the final stakeholder – a single influencer may have additional influence via multiple, possibly indirect paths to a single stakeholder.

4.2 Visualize interrelationships among stakeholders to identify key influencers

Input: List of stakeholders

Output: Relationships among stakeholders and influencers

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. List direct stakeholders for your area. Ensure it includes stakeholders across the organization (both IT and business units).
2. Determine the stakeholders of your stakeholders. Consider adding each of them to the stakeholder list: assess who has either formal or informal influence over your stakeholders; add these influencers to your stakeholder list.
3. Create a stakeholder network map to visualize relationships.
   • (Optional) Use black arrows to indicate the direction of professional influence.
   • (Optional) Use dashed green arrows to indicate bidirectional, informal influence relationships.
4. Capture the list or diagram of your stakeholders in your workbook.

Categorize your stakeholders with a stakeholder prioritization map

A stakeholder prioritization map help teams categorize their stakeholders by their level or influence and ownership.

There are four areas in the map and the stakeholders within each area should be treated differently.

• Players – players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical and a lack of support can cause significant impediment to the objectives.
• Mediators – mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.
• Noisemakers – noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.
• Spectators – generally, spectators are apathetic and have little influence over or interest in the initiative.

4.3 Group your stakeholders into categories

Input: Stakeholder Map

Output: Categorization of stakeholders and influencers

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

Use the BRM Workbook to map your stakeholders

Define strategies for engaging stakeholders by type

Each group of stakeholders draws attention and resources away from critical tasks.

By properly identifying your stakeholder groups, you can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers while ensuring the needs of the Mediators and Players are met.

Prioritize your stakeholders

There may be too many stakeholders to be able to manage them all. Focus your attention on the stakeholders that matter most.

Apply a third dimension for stakeholder prioritization: support.

Support, in addition to interest and influence, is used to prioritize which stakeholders are should receive the focus of your attention. This table indicates how stakeholders are ranked:

Support can be determined by rating the following question: how likely is it that your stakeholder would recommend IT at your organization/your group? Our four categories of support:

• Blocker – beware of the blocker. These stakeholders do not support your cause and have the necessary drive to impede the achievement of your objectives.
• Semi-Supporter – while these stakeholders are committed to your objectives, they are somewhat apathetic to advocate on your behalf. They will support you so long as it does not require much effort from them to do so.
• Neutral – neutrals do not have much commitment to your objectives and are not willing to expend much energy to either support or detract from them.
• Supporter – these stakeholders are committed to your initiative and are willing to whole-heartedly provide you with support.

4.4 Update your stakeholder quadrant to include the three dimensions

Input: Stakeholder Map

Output: Categorization of stakeholders and influencers

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Identify the level of support of each stakeholder by answering the following question: how likely is it that your stakeholder would support your initiative/endeavor?
2. Map your results to the model in your workbook to determine each stakeholder’s category.

Use the BRM Workbook to map your stakeholders

Leverage your map to think about how to engage with your stakeholders

4.5 Create your engagement plan

Input: Stakeholder Map/list of stakeholders

Output: Categorization of stakeholders and influencers

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Leverage the BRM Stakeholder Engagement Plan spreadsheet. List your key stakeholders.
2. Consider: how do you show value at your current maturity level so that you can gain trust and your relationship can mature? Establish where your relationship lacks maturity, and consider whether you need to engage with them on a more strategic, tactical, or even operational manner.
   • At lower levels of maturity (Table Stakes), focus on service delivery, project delivery, and communication.
   • At mid-level maturity (Influencer/Advocate), focus on business pain points and a deeper knowledge of the business.
   • At higher maturity levels (Value Creator/Innovator), focus on creating value by leading innovative initiatives that drive the business forward.
3. Review the stakeholder quadrant. Update the frequency of your communication accordingly.
4. Capture the agenda for your engagements with them.

Your agenda should vary with the maturity of your relationship

Lower Maturity – Focus on service delivery, project delivery, and communication

Mid-Level Maturity – Focus on business pain points and a deeper knowledge of the business

Higher Maturity – Focus on creating value by leading innovative initiatives that drive the business forward

Stakeholder – Include both IT and business stakeholders at appropriate levels

Agenda – Manage stakeholders expectations, and clarify how your agenda will progress as the partnership matures

REASSESS & EMBED

Determine whether your business is satisfied with IT

	1	Survey your stakeholders to measure improvements in customer satisfaction.		Leverage the CIO Business Vision on a regular interval – most find that annual assessments drive success. Evaluate whether the addition or increased maturity of your BRM practice has improved satisfaction with IT.
	Business satisfaction survey Audience: Business leaders Frequency: Annual Metrics: Overall Satisfaction score Overall Value score Relationship Satisfaction: Understand needs Meet needs Communication

Check if you’ve met the BRM goals you set out to achieve

	2	Measure BRM success against the goals for the practice.		Evaluate whether the BRM practice has helped IT to meet the goals that you’ve established. For each of your goals, create metrics to establish how you will know if you’ve been successful. This might be how many or what type of interactions you have with your stakeholders, and/or it could be new connections with internal or external partners. Ensure you have established metrics to measure success at your goals.

5.1 Create metrics

Input: Goals, The attributes which can align to goal success

Output: Measurements of success

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Start with a consideration of your goals and objectives.
2. Identify key aspects that can support confirming if the goal was successful.
3. For each aspect, develop a method to measure success with a specific measurement.
4. When creating the KPI consider:
   • How you know if you are achieving your objective (performance)?
   • How frequently will you be measuring this?
   • Are you looking for an increase, decrease, or maintenance of the metric?

Use the BRM Workbook

Don’t wait all year to find out if you’re on track

Leverage the below questions to quickly poll your business partners on a more frequent basis.

Partner instructions: Please indicate how much you agree with each of the following statements. Use a scale of 1-5, where 1 is low agreement and 5 indicates strong agreement: Demand Shaping: My BRM is at the table and seeks to understand my business. They help me understand IT and helps IT prioritize my needs. Exploring: My BRM surfaces new opportunities based on their understanding of my pain points and growth needs. They engage resources with a focus on the value to be delivered. Servicing: The BRM obtains an understanding of the services and service levels that are required, clarifies them, and communicates costs and risks. Value Harvesting: Focus on value is evident in discussions – the BRM supports IT in ensuring value realization is achieved and tracks value during and beyond deployment.

Embedding the BRM practice also includes acknowledging the BRM’s part in balancing the IT portfolio

IT needs to juggle “keeping the lights on” initiatives with those required to add value to the organization. Partner with the appropriate resources (Project Management Office, Product Owners, System Owners, and/or others as appropriate within your organization) to ensure that all initiatives focus on value. Info-Tech Insight Not every organization will balance their portfolio in the same way. Some organizations have higher risk tolerance and so their higher priority goals may require that they accept more risk to potentially reap more returns.

80% of organizations feel their portfolios are dominated by low-value initiatives that do not deliver value to the business. (Source: Stage-Gate International and Product Development Institute, March/April 2009)

5.2 Prioritize your investments/ projects (optional activity)

Input: Value criteria

Output: Prioritized project listing

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Review and edit (if necessary) the criteria on tab 2 the Project Value Scorecard Development Tool.
   
2. Score initiatives and investments on tab 3 using your criteria.
   

5.3 Create a portfolio investment map (optional activity)

Input: Business capability map

Output: Portfolio investment map

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Build a capability map, outlining the value streams that support your organization’s goals and the high-level capabilities (level 1) that support the value stream (and goals).
   For more support in establishing the capability map, see Document Your Business Architecture.
   
2. Identify high-value capabilities for the organization.
3. What are the projects and initiatives that will address the critical capabilities? Add these under the high-value capabilities.
4. This process will help you demonstrate how projects align to business goals. Enter your capabilities and projects in Info-Tech’s Initiative Portfolio Map Template.

Establish your annual BRM plan

To support the BRM capability at your organization, you’ll want to communicate your plan. This will include: Business Feedback and Engagement Engaging with your partners includes meeting with them on a regular basis. Establish this frequency and capture it in your plan. This engagement must include an understanding of their goals and challenges. As Bill Gates said, “We all need people who will give us feedback. That’s how we improve” (Inc.com, 2013). There are various points in the year which will provide you with the opportunity to understand your business partners’ views of IT or the BRM role. List the opportunities to reflect on this feedback in your plan. Business-IT Alignment Bring together the views and perspectives of IT and the business. List the activities that will be required to reflect business goals in IT. These include IT goals, budget, and planning. BRM Improvement The practices put in place to support the BRM practice need to continuously evolve to support a maturing organization. The feedback from stakeholders throughout the organization will provide input into this. Ensure there are activities and time put aside to evaluate the improvements required.

5.4 Establish your year-in-the-life plan

Input: Engagement plan, BRM goals

Output: Annual BRM plan

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Start with your business planning activities – what will you as a BRM be doing as your business establishes their plans and strategies? These could include:
   • Listening and feedback sessions
   • Third-party explorations
2. Then look at your activities required to integrate within IT – what activities are required to align business directives within your IT groups? Examples can include:
   • Business strategy review
   • Capability map creation
   • Input into the Business-aligned IT strategy
   • IT budget input
3. What activities are required to continuously improve the BRM role? This may consist of:
   • Feedback discussions with business partners
   • Roadshow with colleagues to communicate and refine the practice
4. Map these on your annual calendar that can be shared with your colleagues.

Capture in the BRM Workbook Communicate using the Executive Buy-In and Communication Template

Sample BRM annual cycle

5.5 Build your transformation roadmap

Input: SWOT analysis

Output: Transformation roadmap

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. Brainstorm and discuss the key enablers that are needed to help promote and ease your BRM program.
2. Brainstorm and discuss the key blockers (or risks) that may interrupt or derail your BRM program.
3. Brainstorm mitigation activities for each blocker.
4. Enablers and mitigation activities can be listed on your transformation roadmap.

Example:

Capture in the BRM Workbook

5.5 Build your transformation roadmap (cont’d)

5. Roadmap Elements:
   • List the artifacts, changes, or actions needed to implement the new BRM program.
   • For each item, identify how long it will take to implement or change by moving it into the appropriate swim lane. Use timing that makes sense for your organization: Quick Wins, Short Term, and Long Term; Now, Next, and Later; or Q1, Q2, Q3, and Q4.

Communicate the BRM changes to set your practice up for success

Leaders of successful change spend considerable time developing a powerful change message, i.e. a compelling narrative that articulates the desired end state, and that makes the change concrete and meaningful to staff. The change message should: Explain why the change is needed. Summarize what will stay the same. Highlight what will be left behind. Emphasize what is being changed. Explain how change will be implemented. Address how change will affect various roles in the organization. Discuss the staff’s role in making the change successful.

Five elements of communicating change (Source: The Qualities of Leadership: Leading Change)

Apply the following communication principles to make your BRM changes relevant to stakeholders

“We tend to use a lot of jargon in our discussions, and that is a sure fire way to turn people away. We realized the message wasn’t getting out because the audience wasn’t speaking the same language. You have to take it down to the next level and help them understand where the needs are.” (Jeremy Clement, Director of Finance, College of Charleston, Info-Tech Interview, 2018)

5.6 Create a communications plan tailored to each of your stakeholders

Input: Prioritized list of stakeholders

Output: Communication Plan

Materials: Whiteboard/flip charts (physical or electronic)

Participants: Team

1. List stakeholders in order of importance in the first column.
2. Identify the frequency with which you will communicate to each group.
3. Determine the scope of the communication:
   • What key information needs to be included in the message to ensure they are informed and on board?
   • Which medium(s) will you use to communicate to that specific group?
4. Develop a concrete timeline that will be followed to ensure that support is maintained from the key stakeholders.

Related Blueprints

Business Value Measure IT Project Value Establish a process for effectively articulating and forecasting business value in projects. Maximize Business Value From IT through Benefits Realization Integrate a consistent view of value into the enterprise through governance. Service Catalog Design and Build a User-Facing Service Catalog Provide business users with a view of IT services in a language that they can understand. Intake Management Optimize IT Project Intake, Approval, and Prioritization Create an intake process aligned to project value.

Selected Bibliography

“Apple Mission and Vision Analysis.” Mission Statement Academy, 23 May 2019. Accessed 5 November 2020.

Barnes, Aaron. “Business Relationship Manager and Plan Build Run.” BRM Institute, 8 April 2014.

Barnes, Aaron. “Starting a BRM Team - Business Relationship Management Institute.” BRM Institute, 5 June 2013. Web.

BRM Institute. “Business Partner Maturity Model.” Member Templates and Examples, Online Campus, n.d. Accessed 3 December 2021.

BRM Institute. “BRM Assessment Templates and Examples.” Member Templates and Examples, Online Campus, n.d. Accessed 24 November 2021.

Brusnahan, Jim, et al. “A Perfect Union: BRM and Agile Development and Delivery.” BRM Institute, 8 December 2020. Web.

Business Relationship Management: The BRMP Guide to the BRM Body of Knowledge. Second printing ed., BRM Institute, 2014.

Chapman, Chuck. “Building a Culture of Trust - Remote Leadership Institute.” Remote Leadership Institute, 10 August 2021. Accessed 27 January 2022.

“Coca Cola Mission and Vision Analysis.” Mission Statement Academy, 4 August 2019. Accessed 5 November 2020.

Colville, Alan. “Shared Vision.” UX Magazine, 31 October 2011. Web.

Cooper, Robert, G. “Effective Gating: Make product innovation more productive by using gates with teeth.” Stage-Gate International and Product Development Institute, March/April 2009. Web.

Heller, Martha. “How CIOs Can Make Business Relationship Management (BRM) Work.” CIO, 1 November 2016. Accessed 27 January 2022.

“How Many Business Relationship Managers Should You Have.” BRM Institute, 20 March 2013. Web.

Hull, Patrick. “Answer 4 Questions to Get a Great Mission Statement.” Forbes, 10 January 2013. Web.

Kasperkevic, Jana. “Bill Gates: Good Feedback Is the Key to Improvement.” Inc.com, 17 May 2013. Web.

Merlyn, Vaughan. “Relationships That Matter to the BRM.” BRM Institute, 19 October 2016. Web.

“Modernizing IT’s Business Relationship Manager Role.” The Hackett Group, 22 November 2019. Web.

Monroe, Aaron. “BRMs in a SAFe World...That Is, a Scaled Agile Framework Model.” BRM Institute, 5 January 2021. Web.

Selected Bibliography

“Operational, adj." OED Online, Oxford University Press, December 2021. Accessed 29 January 2022.

Sinek, Simon. “Transcript of ‘How Great Leaders Inspire Action.’” TEDxPuget Sound, September 2009. Accessed 7 November 2020.

“Strategic, Adj. and n.” OED Online, Oxford University Press, December 2016. Accessed 27 January 2022.

“Tactical, Adj.” OED Online, Oxford University Press, September 2018. Accessed 27 January 2022.

“The Qualities of Leadership: Leading Change.” Cornelius & Associates, 23 September 2013. Web.

“Twice the Business Value in Half the Time: When Agile Methods Meet the Business Relationship Management Role.” BRM Institute, 10 April 2015. Web.

“Value Streams.” Scaled Agile Framework, 30 June 2020. Web.

Ward, John. “Delivering Value from Information Systems and Technology Investments: Learning from Success.” Information Systems Research Centre, August 2006. Web.

Appendix

• Business Value Drivers
• Service Blueprint
• Stakeholder Communications
• Job Descriptions

Understand business value drivers for ROI and cost

Understand Business Value Drivers that Enhance Your Services

Understand Business Value Drivers that Connect the Business to Your Customers

Service Blueprint

Service design involves an examination of the people, process and technology involved in delivering a service to your customers.

Service blueprinting provides a visual of how these are connected together. It enables you to identify and collaborate on improvements to an existing service.

The main components of a service blueprint are:

Customer actions – this anchors the service in the experiences of the customer

Front-stage – this shows the parts of the service that are visible to the customer

Back-stage – this is the behind-the-scenes actions necessary to deliver the experience to the customer

Support processes – this is what’s necessary to deliver the back-stage (and front-stage/customer experience), but is not aligned from a timing perspective (e.g. it doesn’t matter if the fridge is stocked when the order is put in, as long as the supplies are available for the chef to use)

Physical Evidence and Time are blueprint components can be added in to provide additional context & support

Stakeholder Communications

BRM Job Descriptions

Download the Job Descriptions:

• Business Relationship Manager – Level 1
• Business Relationship Manager – Level 2
• Business Relationship Manager – Level 3
• IT Business Relationship Manager